4.3 KiB
Sensor Proxy Audit Log Rotation
The temperature sensor proxy writes append-only, hash-chained audit events to
/var/log/pulse/sensor-proxy/audit.log. The file is created with 0640
permissions, owned by pulse-sensor-proxy, and protected with chattr +a via
scripts/secure-sensor-files.sh. Because the process keeps the file handle open
and enforces append-only mode, you must follow the steps below to rotate the
log without losing events.
When to Rotate
- File exceeds 200 MB or contains more than 30 days of history
- Prior to exporting evidence for an incident review
- Immediately before changing log-forwarding endpoints (rsyslog/RELp)
The proxy falls back to stderr (systemd journal) only when the file cannot be opened. Do not rely on the fallback for long-term retention.
Pre-flight Checklist
- Confirm the service is healthy:
systemctl status pulse-sensor-proxy --no-pager - Make sure
/var/log/pulse/sensor-proxyis mounted with enough free space:df -h /var/log/pulse/sensor-proxy - Note the current scheduler health inside Pulse for later verification:
curl -s http://localhost:7655/api/monitoring/scheduler/health | jq '.queue.depth, .deadLetter.count'
Manual Rotation Procedure
Run these steps as root on the Proxmox host that runs the proxy.
- Remove the append-only flag (logrotate needs to truncate the file):
chattr -a /var/log/pulse/sensor-proxy/audit.log - Copy the current file to an evidence path, then truncate in place:
ts=$(date +%Y%m%d-%H%M%S) cp -a /var/log/pulse/sensor-proxy/audit.log /var/log/pulse/sensor-proxy/audit.log.$ts : > /var/log/pulse/sensor-proxy/audit.log - Restore permissions and the append-only flag:
chown pulse-sensor-proxy:pulse-sensor-proxy /var/log/pulse/sensor-proxy/audit.log chmod 0640 /var/log/pulse/sensor-proxy/audit.log chattr +a /var/log/pulse/sensor-proxy/audit.log - Restart the proxy so the file descriptor is reopened:
systemctl restart pulse-sensor-proxy - Verify the service recreated the correlation hash chain:
journalctl -u pulse-sensor-proxy -n 20 | grep -i "audit" || true - Re-check Pulse adaptive polling health (temperature pollers rely on the
proxy):
All temperature instances should show
curl -s http://localhost:7655/api/monitoring/scheduler/health \ | jq '.instances[] | select(.key | contains("temperature")) | {key, breaker: .breaker.state, deadLetter: .deadLetter.present}'breaker: "closed"withdeadLetter: false.
Logrotate Configuration
Automate rotation with /etc/logrotate.d/pulse-sensor-proxy. Copy the snippet
below and adjust retention to match your compliance needs:
/var/log/pulse/sensor-proxy/audit.log {
weekly
rotate 8
compress
missingok
notifempty
create 0640 pulse-sensor-proxy pulse-sensor-proxy
sharedscripts
prerotate
/usr/bin/chattr -a /var/log/pulse/sensor-proxy/audit.log || true
endscript
postrotate
/bin/systemctl restart pulse-sensor-proxy.service || true
/usr/bin/chattr +a /var/log/pulse/sensor-proxy/audit.log || true
endscript
}
Keep copytruncate disabled—the restart ensures the proxy writes to a fresh
file with a new hash chain. Always forward rotated files to your SIEM before
removing them.
Forwarding Validations
If you forward audit logs over RELP using scripts/setup-log-forwarding.sh:
- Tail the forwarding log:
tail -f /var/log/pulse/sensor-proxy/forwarding.log - Ensure queues drain (
action.resumeRetryCount=-1keeps retrying). - Confirm the remote receiver ingests the new file (look for the
pulse.audittag).
Troubleshooting
| Symptom | Action |
|---|---|
Operation not permitted when truncating |
chattr -a was not executed or SELinux/AppArmor denies it. Check auditd. |
| Proxy fails to restart | Run journalctl -u pulse-sensor-proxy -xe for context. The proxy refuses to start if the audit file cannot be opened. |
| Temperature polls stop after rotation | Check /api/monitoring/scheduler/health for dead-letter entries. Restart the main Pulse service if breakers stay open. |
Once logs are rotated and validated, upload the archived copy to your evidence store and record the event in your change log.