Re: How to prevent internal Splunk audit logs from...

jravida · ‎08-18-2014

Hi folks,

So I am running a distributed deployment. It seems that, on my index server (running RedHat), SPlunk is sending loads of internal audit events to /var/log/audit/audit.log. I am not indexing this nor do I care about the large volumes of information Splunk is logging here. It ends up filling 50MB of space per hour.

Is there a mechanism to prevent all these logs from writing to the audit log on my server?

mad4wknds · ‎04-10-2017

I know that this is a very old post but I think this is the answer. Change the audit rules for auditing splunk directories
echo "# Exclude Splunk directories" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/app/splunk/ -k exclude" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/data1/splunk/ -k exclude" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/data2/splunk/ -k exclude" >> /etc/audit/audit.rules

ppablo · ‎08-18-2014

Hi @jravida

If you want to prevent certain logs from being indexed in Splunk, you can configure inputs.conf with blacklist rules. Check out the following documentation on whitelist and blacklist monitoring. http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata

ppablo · ‎08-18-2014

Ah sorry @jravida I didn't catch that part.

jravida · ‎08-18-2014

The logs aren't being index from what I can tell. They are just getting saved to the filesystem.

yannK · ‎08-18-2014

Yes the log rotation defined in $SPLUNK_HOME/etc/log.cfg

Splunk will maintain 5 rotated copies of 25MB each of the audit.log, so the maximum will be 125MB.

How to prevent internal Splunk audit logs from being written to /var/log/audit?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases