[Aide] Once more, questions about ANF/ARF
Marc Haber
mh+aide at zugschlus.de
Sun Feb 12 13:04:20 EET 2006
Hi,
I have still not yet fully grasped how ANF/ARF work. Given is my
/var/log/aide directory where the daily cron job puts aide output and
error logs:
$ ls -al /var/log/aide/
total 72K
drwxr-xr-x 2 root root 4.0K Feb 12 07:35 ./
drwxr-xr-x 23 root root 4.0K Feb 1 07:45 ../
-rw-r----- 1 root adm 1.7K Feb 12 07:43 aide.log
-rw-r----- 1 root adm 357 Feb 11 07:43 aide.log.0
-rw-r----- 1 root adm 457 Feb 10 07:43 aide.log.1.gz
-rw-r----- 1 root adm 1.2K Feb 9 07:43 aide.log.2.gz
-rw-r----- 1 root adm 396 Feb 8 07:43 aide.log.3.gz
-rw-r----- 1 root adm 7.3K Feb 7 07:44 aide.log.4.gz
-rw-r----- 1 root adm 2.4K Feb 6 07:43 aide.log.5.gz
-rw-r----- 1 root adm 5.0K Feb 5 07:44 aide.log.6.gz
-rw-r----- 1 root adm 0 Feb 12 07:43 error.log
-rw-r----- 1 root adm 0 Feb 11 07:43 error.log.0
-rw-r----- 1 root adm 32 Feb 10 07:43 error.log.1.gz
-rw-r----- 1 root adm 32 Feb 9 07:43 error.log.2.gz
-rw-r----- 1 root adm 32 Feb 8 07:43 error.log.3.gz
-rw-r----- 1 root adm 32 Feb 7 07:44 error.log.4.gz
-rw-r----- 1 root adm 32 Feb 6 07:43 error.log.5.gz
-rw-r----- 1 root adm 32 Feb 5 07:44 error.log.6.gz
$
I have these rules:
StaticDir = n+p+i+u+g
LowLogs = n+p+u+g
RotatedLogs = I+n+p+i+u+g+s+b+m+md5+sha1+rmd160+haval+gost+crc32+tiger
/var/log/aide$ StaticDir
/var/log/aide/(aide|error)\.log(\.0)?$ LowLogs
/var/log/aide/(aide|error)\.log\.1\.gz$ RotatedLogs+ANF
/var/log/aide/(aide|error)\.log\.[2345]\.gz$ RotatedLogs
/var/log/aide/(aide|error).log\.6\.gz$ RotatedLogs+ARF
aide 0.11rc3 reports:
Added files:
added:/var/log/aide/aide.log.2.gz
added:/var/log/aide/error.log.2.gz
Removed files:
removed:/var/log/aide/error.log.5.gz
removed:/var/log/aide/aide.log.5.gz
So, the ANF does seem to suppress the new .1.gz files from being
reported as new, and the ARF does seem to suppress the removed .6.gz
files from being reported as removed, but I don't understand what
happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
are reported as new, and why the _not_ removed .5.gz files (they go to
mv .5.gz to .6.gz) are reported as removed.
Is this a (new?) bug in aide, or do I still have my aide
misconfigured? Any ideas what I can do to debug?
Any hints will be appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Aide
mailing list