All Apps and Add-ons

Disable SYSCALL events from auditd app

naqviah
Explorer

Hi,

Is there a way to disable logging of syscall events from the linux-auditd app? Syscall is generating thousands of events per minute and it is out of scope for me at the moment.

0 Karma

doksu
SplunkTrust
SplunkTrust

The app is designed around SYSCALL events because they're an integral part of auditd, so refining the audit rules to meet your needs is recommended rather than excluding them. If you really need to exclude them, the simplest approach would be to ingest SYSCALL events into a dedicated index, ensure it isn't in the auditd_indicies.csv lookup and disabled the "Update auditd_indicies lookup" scheduled search so the lookup isn't updated. Be sure to also create a local override of the "auditd_events" event type, explicitly specifying the indices you want to be searched instead of index=* (this is used by the data model).

0 Karma

doksu
SplunkTrust
SplunkTrust

Hi naqviah, could you be more specific about 'disabling' SYSCALL events? Would you like the app to ignore them completely so they don't display in any of the dashboards and don't populate the data model?

0 Karma

naqviah
Explorer

That is correct. Syscall events are generating millions of events per day. Temporarily, i have blacklisted the type=syscall*. However, is there another method to disable them?

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...