[h43z]

Do I understand that correctly that in order for logs to rotate you have to reboot?

[jelder]

My thoughts exactly. And couldn’t an attacker just fill the logging volume with uninteresting events to prevent certain other events from being recorded?

[gertrunde]

That would be where something like auditd would come in, configured so that if the audit logs location runs low on space (or out of space), it will halt the system.

(Yes, quite harsh, but for some use cases it may be the right thing to do, i.e. to fail closed).

[jorvi]

Log filtering via severity / keywords prevents this, assuming the logs are regularly and properly checked.