Deployment Architecture

auditd splunkd

criscollins
New Member

We are required to monitor /var/log/audit. Whenever splunkd accesses audit.log a new event is created. We are getting close to ten thousand of these messages per hour. I have tried to create an excpetion in audit.rules, however there does not seem to be a good hook, that won't affect legitimate audit.log access events. Any ideas how to solve this issue?

Tags (2)
0 Karma

tmacdonagh
Engager

Removed my previous bad answer. The proper line to be entered into your audit.rules file is

-a exit,never -F path=/opt/splunkforwarder/bin/splunkd -k splunk_exclude

responsys_cm
Builder

Are these messages being generated from syscall rules or file system rules? If you are using a syscall rule, you can use the -F switch and exclude the uid of the Splunk user.

The other option is to just have Splunk route those events to the nullQueue.

Craig

0 Karma

tmacdonagh
Engager

splunk runs as root.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...