InformationThe max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.
In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.
SolutionSet the following parameter in /etc/audit/auditd.conf:
max_log_file_action = keep_logs
NIST SP 800-53 Rev. 5: