/var/log/audit occupying more space in Automation Suite

News Knowledge Base
1

Post installing the Automation Suite, under the /var/log, only the audit folder is occupying more space and is getting piled up. We want to ensure that this is prevented from piling up so that overall hard disk space remains free else the VM goes in stopped mode.

Prerequisites

Please confirm if the logrotate of the audit is configured.

UiPath usually recommends having a short log rotation duration, preferably hourly or daily. If the log cannot be rotated that frequently, then a higher capacity is recommended.

Below are the ideal recommendations:

  1. Maintaining at least 8GB for /var/log
  2. Logrotate hourly or daily. Otherwise, the user will need higher-capacity storage

Resolution

To rotate the audit logs generated by the auditd service on a Linux system, you can use the logrotate utility, which is a standard tool for managing log files. Here's how you can set up log rotation for auditd:

  • Edit the Logrotate Configuration: Open the logrotate configuration file for editing. This file is typically located at /etc/logrotate.conf or in a separate file within the /etc/logrotate.d/ directory. You can use a text editor like nano or vim. For example:
  • sudo nano /etc/logrotate.d/auditd

  • Add Configuration for auditd Logs: Inside the logrotate configuration file, add a section for auditd logs. You can use wildcards like audit.log to match the log files you want to rotate. Here's an example: 
     /var/log/audit/audit.log {
       weekly
       rotate 4
       compress
       delaycompress
       missingok
       notifempty
       create 0640 root root
       postrotate
           /sbin/service auditd restart
       endscript
   }
    • weekly: Rotate the logs weekly. You can use other options like `daily`, `monthly`, etc., as needed.
    • rotate 4: Keep up to 4 rotated log files.
    • compress: Compress the rotated logs.
    • delaycompress: Delay compression until the next rotation cycle.
    • missingok: Don't produce an error if the log file is missing.
    • notifempty: Don't rotate the log if it's empty.
    • create 0640 root root: Create new log files with the specified permissions and ownership.
    • postrotate and endscript: These lines contain commands to execute after log rotation. In this case, it restarts the auditd service to start a new log file.
  • Save and Exit: Save the changes to the logrotate configuration file and exit the text editor.
  • Test the Configuration: You can test the log rotation configuration without waiting for the scheduled rotation by running:
  • logrotate -d /etc/logrotate.d/auditd

This will provide the verbose output of what logrotate would do without actually making any changes.

  • Restart Logrotate: You don't need to manually run logrotate; it is typically scheduled as a cron job. However, if you want to force log rotation immediately, you can run:
  • logrotate -f /etc/logrotate.conf

Log rotation for auditd logs should now be set up according to your specified configuration. The logs will be rotated according to the schedule you defined, and old logs will be compressed and retained as per your settings.