diff --git a/README.md b/README.md
index c3f55312d..4a8010b25 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,7 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
 | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
 | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
+| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
 
 ## Packages
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 85f08f184..68e578811 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -250,6 +250,7 @@ os_hardening_enabled: true
 
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
+os_auditd_max_log_file_action: keep_logs
 
 # Set the SELinux state, can be either disabled, permissive, or enforcing.
 os_selinux_state: enforcing
diff --git a/templates/etc/audit/auditd.conf.j2 b/templates/etc/audit/auditd.conf.j2
index 4f3040f70..8da8cfc71 100644
--- a/templates/etc/audit/auditd.conf.j2
+++ b/templates/etc/audit/auditd.conf.j2
@@ -10,7 +10,7 @@ dispatcher = /sbin/audispd
 name_format = NONE
 ##name = mydomain
 max_log_file = 6
-max_log_file_action = keep_logs
+max_log_file_action = {{ os_auditd_max_log_file_action }}
 space_left = 75
 space_left_action = SYSLOG
 action_mail_acct = root