Help

How long does the logs in "/var/audit" folder are keep?"

johannnz
New Contributor

Posted on ‎03-07-2018 08:34 AM

I know that you can modify the file "/etc/asl.conf" to make most of the system logs to be keep as long as you needed it.

But I would like to know if the logs in "/var/audit" are also affected by this file, and if not, what is the default amount of time those logs are keep in macOS? Can I modify that?, like for example to make the system keep them for 90 days or 120 days.

Thanks in advance!

0 Kudos
1 REPLY 1

gachowski
Valued Contributor II

Posted on ‎03-07-2018 05:04 PM

Yes but we had issue with it.. as it didn't follow the rules we set and sometime /var/audit would keep GB and GB of logs untill the OS would crash because of no swap space. Then there was a bug with Sierra that would KP the machines if you had configured per the CIS benchmarks so we stopped it. Also since then the logging has been changed I think this is one of the sites I had booked marked to investigate ..

https://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logging

and this

https://eclecticlight.co/?s=log

0 Kudos