diff --git a/audit-fix-check-log-file.patch b/audit-fix-check-log-file.patch
new file mode 100644
index 0000000000000000000000000000000000000000..886e8a7e5178f15227adc4ebece1e2f79798f7d5
--- /dev/null
+++ b/audit-fix-check-log-file.patch
@@ -0,0 +1,134 @@
+From c7d7ea970d073a6653a3401bc19ae0f453fe4b19 Mon Dec 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Mon, 30 Dec 2024 15:24:27 +0800
+Subject: [PATCH] fix check log file
+
+---
+ src/auditd-event.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index 3405f1d..4ecd2a3 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -70,7 +70,7 @@ static void init_flush_thread(void);
+ /* Local Data */
+ static struct daemon_conf *config;
+ static volatile int log_fd;
+-static FILE *log_file;
++static FILE *log_file = NULL;
+ static unsigned int disk_err_warning = 0;
+ static int fs_space_warning = 0;
+ static int fs_admin_space_warning = 0;
+@@ -173,7 +173,8 @@ int init_event(struct daemon_conf *conf)
+ 	format_buf = (char *)malloc(FORMAT_BUF_LEN);
+ 	if (format_buf == NULL) {
+ 		audit_msg(LOG_ERR, "No memory for formatting, exiting");
+-		fclose(log_file);
++		if (log_file)
++			fclose(log_file);
+ 		log_file = NULL;
+ 		return 1;
+ 	}
+@@ -210,7 +211,8 @@ static void *flush_thread_main(void *arg)
+ 		flush = 0;
+ 		pthread_mutex_unlock(&flush_lock);
+ 
+-		fsync(log_fd);
++		if (log_fd >= 0)
++			fsync(log_fd);
+ 	}
+ 	return NULL;
+ }
+@@ -563,7 +565,8 @@ void handle_event(struct auditd_event *e)
+ 				if (config->daemonize == D_BACKGROUND) {
+ 					if (config->flush == FT_INCREMENTAL) {
+ 						/* EIO is only likely failure */
+-						if (fsync(log_fd) != 0) {
++						if (log_fd >= 0 &&
++							fsync(log_fd) != 0) {
+ 						     do_disk_error_action(
+ 							"fsync",
+ 							errno);
+@@ -718,6 +721,9 @@ static void check_space_left(void)
+ 	int rc;
+ 	struct statfs buf;
+ 
++	if (log_fd < 0)
++		return;
++
+         rc = fstatfs(log_fd, &buf);
+         if (rc == 0) {
+ 		if (buf.f_bavail < 5) {
+@@ -799,7 +805,8 @@ static void do_space_left_action(int admin)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -849,7 +856,8 @@ static void do_disk_full_action(void)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -896,7 +904,8 @@ static void do_disk_error_action(const char *func, int err)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -1021,17 +1030,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs)
+ 	/* Close audit file. fchmod and fchown errors are not fatal because we
+ 	 * already adjusted log file permissions and ownership when opening the
+ 	 * log file. */
+-	if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){
+-		audit_msg(LOG_WARNING, "Couldn't change permissions while "
++	if (log_fd >= 0) {
++		if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP :
++			  S_IRUSR) < 0){
++		    audit_msg(LOG_WARNING, "Couldn't change permissions while "
+ 			"rotating log file (%s)", strerror(errno));
+-	}
+-	if (fchown(log_fd, 0, config->log_group) < 0) {
+-		audit_msg(LOG_WARNING, "Couldn't change ownership while "
++		}
++		if (fchown(log_fd, 0, config->log_group) < 0) {
++		    audit_msg(LOG_WARNING, "Couldn't change ownership while "
+ 			"rotating log file (%s)", strerror(errno));
++		}
+ 	}
+-	fclose(log_file);
++	if (log_file)
++		fclose(log_file);
+ 	log_file = NULL;
+-	
++
+ 	/* Rotate */
+ 	len = strlen(config->log_file) + 16;
+ 	oldname = (char *)malloc(len);
+@@ -1485,7 +1498,8 @@ static void reconfigure(struct auditd_event *e)
+ 		free((void *)nconf->log_file);
+ 
+ 	if (need_reopen) {
+-		fclose(log_file);
++		if (log_file)
++			fclose(log_file);
+ 		log_file = NULL;
+ 		fix_disk_permissions();
+ 		if (open_audit_log()) {
+-- 
+2.47.0
+
diff --git a/audit-fix-resource-leaks.patch b/audit-fix-resource-leaks.patch
new file mode 100644
index 0000000000000000000000000000000000000000..78e71483074aa4a8e13f306fc95b9bd539e2f387
--- /dev/null
+++ b/audit-fix-resource-leaks.patch
@@ -0,0 +1,49 @@
+From c7d7ea970d073a6653a3401bc19ae0f453fe4b19 Mon Dec 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Mon, 30 Dec 2024 15:24:27 +0800
+Subject: [PATCH] fix resource leaks
+
+---
+ src/auditd-event.c | 3 ++-
+ src/auditd.c       | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index dca5b24..3405f1d 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -135,9 +135,9 @@ void shutdown_events(void)
+ 	pthread_join(flush_thread, NULL);
+ 
+ 	free((void *)format_buf);
++	auparse_destroy_ext(NULL, AUPARSE_DESTROY_ALL);
+ 	if (log_file)
+ 		fclose(log_file);
+-	auparse_destroy_ext(NULL, AUPARSE_DESTROY_ALL);
+ }
+ 
+ int init_event(struct daemon_conf *conf)
+@@ -223,6 +223,7 @@ static void init_flush_thread(void)
+ 	pthread_cond_init(&do_flush, NULL);
+ 	flush = 0;
+ 	pthread_create(&flush_thread, NULL, flush_thread_main, NULL);
++	pthread_detach(flush_thread);
+ }
+ 
+ static void replace_event_msg(struct auditd_event *e, const char *buf)
+diff --git a/src/auditd.c b/src/auditd.c
+index c90adfa..cf0ade2 100644
+--- a/src/auditd.c
++++ b/src/auditd.c
+@@ -451,6 +451,8 @@ static int become_daemon(void)
+ 			if (rc < 0)
+ 				return -1;
+ 
++			free_config(&config);
++
+ 			/* Success - die a happy death */
+ 			if (status == SUCCESS)
+ 				_exit(0);
+-- 
+2.47.0
+
diff --git a/audit.spec b/audit.spec
index f14b8ec26df16e434a279cadbb8304b53f54a6a1..65b7cfaa58782b057f25e6e37c23d2ae92eaf3c3 100644
--- a/audit.spec
+++ b/audit.spec
@@ -3,7 +3,7 @@
 Summary: User space tools for 2.6 kernel auditing
 Name: audit
 Version: 2.8.5
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://people.redhat.com/sgrubb/audit/
@@ -15,6 +15,8 @@ Patch2: audit-2.7.5-no-backlog-wait-time.patch
 Patch3: audit-2.8.6-memleak.patch
 Patch4: audit-3.0-avc.patch
 Patch5: audit-3.0-cond-restart.patch
+Patch6: audit-fix-check-log-file.patch
+Patch7: audit-fix-resource-leaks.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openldap-devel
 BuildRequires: swig
@@ -93,6 +95,8 @@ like relay events to remote machines.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \
@@ -274,6 +278,9 @@ fi
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 
 %changelog
+* Mon Dec 30 2024 zhuhongbo <zhuhongbo@uniontech.com> - 2.8.5-4.1
+- fix: fix check log file
+
 * Mon May 06 2019 Steve Grubb <sgrubb@redhat.com> 2.8.5-4
 resolves: #1696709 - updating auditd is enabling disabled service