We are required to monitor /var/log/audit. Whenever splunkd accesses audit.log a new event is created. We are getting close to ten thousand of these messages per hour. I have tried to create an excpetion in audit.rules, however there does not seem to be a good hook, that won't affect legitimate audit.log access events. Any ideas how to solve this issue?
Removed my previous bad answer. The proper line to be entered into your audit.rules file is
-a exit,never -F path=/opt/splunkforwarder/bin/splunkd -k splunk_exclude
Are these messages being generated from syscall rules or file system rules? If you are using a syscall rule, you can use the -F switch and exclude the uid of the Splunk user.
The other option is to just have Splunk route those events to the nullQueue.
Craig
splunk runs as root.