Accomodate for constantly changing log files

Many log files constantly change, especially if those are rotated. Many of those files have changing xattrs, e2fsattrs, caps and acl(s). So let's not monitor them, unless there will be many false positives.
2025-09-24 08:16:59 +02:00 · 2025-09-24 08:16:59 +02:00 · 8479fabb2f
commit 8479fabb2f
parent 307529a587
1 changed files with 5 additions and 5 deletions
--- a/aide.conf
+++ b/aide.conf
@ -128,11 +128,11 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 # Access control only - added file type and link name
 PERMS = ftype+p+i+l+u+g+acl+selinux

-# Logfiles are special, in that they often change
-# Don't track inodes (-i) since log rotation creates new files with different inodes
-# Don't track size (-s) since log rotation causes size decreases that we don't care about
+# Logfiles are special, in that they often change due to log rotation
+# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
 # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
-LOG = >+ANF+ARF-i-s
+# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
+LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs

 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes - updated with modern hash
@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 # Log directory
 /var/log LOG
 # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes
-/var/log/journal LOG-xattrs-acl
+/var/log/journal LOG-xattrs

 /var/run/utmp LOG