Hi,
Is there a way to disable logging of syscall events from the linux-auditd app? Syscall is generating thousands of events per minute and it is out of scope for me at the moment.
The app is designed around SYSCALL events because they're an integral part of auditd, so refining the audit rules to meet your needs is recommended rather than excluding them. If you really need to exclude them, the simplest approach would be to ingest SYSCALL events into a dedicated index, ensure it isn't in the auditd_indicies.csv lookup and disabled the "Update auditd_indicies lookup" scheduled search so the lookup isn't updated. Be sure to also create a local override of the "auditd_events" event type, explicitly specifying the indices you want to be searched instead of index=* (this is used by the data model).
Hi naqviah, could you be more specific about 'disabling' SYSCALL events? Would you like the app to ignore them completely so they don't display in any of the dashboards and don't populate the data model?
That is correct. Syscall events are generating millions of events per day. Temporarily, i have blacklisted the type=syscall*. However, is there another method to disable them?