[Aide] Once more, questions about ANF/ARF

Marc Haber mh+aide at zugschlus.de
Sun Feb 12 13:04:20 EET 2006


Hi,

I have still not yet fully grasped how ANF/ARF work. Given is my
/var/log/aide directory where the daily cron job puts aide output and
error logs:

$ ls -al /var/log/aide/
total 72K
drwxr-xr-x   2 root root 4.0K Feb 12 07:35 ./
drwxr-xr-x  23 root root 4.0K Feb  1 07:45 ../
-rw-r-----   1 root adm  1.7K Feb 12 07:43 aide.log
-rw-r-----   1 root adm   357 Feb 11 07:43 aide.log.0
-rw-r-----   1 root adm   457 Feb 10 07:43 aide.log.1.gz
-rw-r-----   1 root adm  1.2K Feb  9 07:43 aide.log.2.gz
-rw-r-----   1 root adm   396 Feb  8 07:43 aide.log.3.gz
-rw-r-----   1 root adm  7.3K Feb  7 07:44 aide.log.4.gz
-rw-r-----   1 root adm  2.4K Feb  6 07:43 aide.log.5.gz
-rw-r-----   1 root adm  5.0K Feb  5 07:44 aide.log.6.gz
-rw-r-----   1 root adm     0 Feb 12 07:43 error.log
-rw-r-----   1 root adm     0 Feb 11 07:43 error.log.0
-rw-r-----   1 root adm    32 Feb 10 07:43 error.log.1.gz
-rw-r-----   1 root adm    32 Feb  9 07:43 error.log.2.gz
-rw-r-----   1 root adm    32 Feb  8 07:43 error.log.3.gz
-rw-r-----   1 root adm    32 Feb  7 07:44 error.log.4.gz
-rw-r-----   1 root adm    32 Feb  6 07:43 error.log.5.gz
-rw-r-----   1 root adm    32 Feb  5 07:44 error.log.6.gz
$

I have these rules:

StaticDir = n+p+i+u+g
LowLogs = n+p+u+g
RotatedLogs = I+n+p+i+u+g+s+b+m+md5+sha1+rmd160+haval+gost+crc32+tiger
/var/log/aide$ StaticDir
/var/log/aide/(aide|error)\.log(\.0)?$ LowLogs
/var/log/aide/(aide|error)\.log\.1\.gz$ RotatedLogs+ANF
/var/log/aide/(aide|error)\.log\.[2345]\.gz$ RotatedLogs
/var/log/aide/(aide|error).log\.6\.gz$ RotatedLogs+ARF

aide 0.11rc3 reports:
Added files:
added:/var/log/aide/aide.log.2.gz
added:/var/log/aide/error.log.2.gz
Removed files:
removed:/var/log/aide/error.log.5.gz
removed:/var/log/aide/aide.log.5.gz

So, the ANF does seem to suppress the new .1.gz files from being
reported as new, and the ARF does seem to suppress the removed .6.gz
files from being reported as removed, but I don't understand what
happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
are reported as new, and why the _not_ removed .5.gz files (they go to
mv .5.gz to .6.gz) are reported as removed.

Is this a (new?) bug in aide, or do I still have my aide
misconfigured? Any ideas what I can do to debug?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


More information about the Aide mailing list