Update: I let the process run while I was typing the above post and it went from 12% to 27%.
I'm used to
sealert -a finishing up in less than a minute, but that's when I was setting up my first website on this server.
So I think to myself, "This must be an issue with the volume of my audit log!"
So I checked out the contents of /var/log/audit/ and it looks like this:
Code: Select all
root@myserver audit]# ll -h
total 35M
-rw-------. 1 root root 2.2M Dec 18 19:28 audit.log
-r--------. 1 root root 8.1M Dec 18 18:54 audit.log.1
-r--------. 1 root root 8.1M Dec 18 15:24 audit.log.2
-r--------. 1 root root 8.1M Dec 18 10:35 audit.log.3
-r--------. 1 root root 8.1M Dec 18 08:43 audit.log.4
So I'm filling up an 8.1M audit log every three to five hours. One of them filled up in a little over 30 minutes.
I also noticed that
audit.log grew by 0.4M while I was poking around and typing this. So I think "Maybe it's going so slow because the file it's trying to analyze is changing realtime?" I killed the sealert process and tried running an audit of audit.log.1 — this time it froze at 83%.
Is this normal? For audit logs to get that big, that quickly?
Should it be taking this long for sealert to analyze them?
Please be kind! I've only been a Linux user for eight months.
