Adjust /var/log/journal monitoring in default config file

By default, log files are expected to grow but persistent journal files are not handled correctly. The persistent journal is stored in /var/log/journal, hence fall into LOG rule.Unfortunately since some version of Fedora, the journal files get an extended attribute user.crtime_usec which updates when the file rotates. Make sure to leave this out from the report.
2025-09-22 16:19:04 +02:00 · 2025-09-22 16:19:04 +02:00 · d25ee9c764
commit d25ee9c764
parent 9566357ccc
1 changed files with 11 additions and 4 deletions
--- a/aide.conf
+++ b/aide.conf
@ -128,8 +128,10 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 # Access control only - added file type and link name
 PERMS = ftype+p+i+l+u+g+acl+selinux

-# Logfile are special, in that they often change
-LOG = >
+# Logfiles are special, in that they often change
+# Don't track inodes (-i) since log rotation creates new files with different inodes
+# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
+LOG = >+ANF+ARF-i

 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes - updated with modern hash
@ -234,13 +236,18 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 /etc/libaudit.conf$ NORMAL
 /etc/aide.conf$  NORMAL

-# System logs
+# System logs with proper logrotate handling
 /etc/rsyslog.conf$ NORMAL
 /etc/rsyslog.d NORMAL
 /etc/logrotate.conf$ NORMAL
 /etc/logrotate.d NORMAL
 /etc/systemd/journald.conf$ NORMAL
-/var/log LOG+ANF+ARF
+
+# Log directory
+/var/log LOG
+# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes
+/var/log/journal LOG-xattrs
+
 /var/run/utmp LOG