Hi folks,
So I am running a distributed deployment. It seems that, on my index server (running RedHat), SPlunk is sending loads of internal audit events to /var/log/audit/audit.log. I am not indexing this nor do I care about the large volumes of information Splunk is logging here. It ends up filling 50MB of space per hour.
Is there a mechanism to prevent all these logs from writing to the audit log on my server?
I know that this is a very old post but I think this is the answer. Change the audit rules for auditing splunk directories
echo "# Exclude Splunk directories" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/app/splunk/ -k exclude" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/data1/splunk/ -k exclude" >> /etc/audit/audit.rules
echo "-W never,exit -F path=/data2/splunk/ -k exclude" >> /etc/audit/audit.rules
Hi @jravida
If you want to prevent certain logs from being indexed in Splunk, you can configure inputs.conf with blacklist rules. Check out the following documentation on whitelist and blacklist monitoring. http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whitelistorblacklistspecificincomingdata
Ah sorry @jravida I didn't catch that part.
The logs aren't being index from what I can tell. They are just getting saved to the filesystem.
Yes the log rotation defined in $SPLUNK_HOME/etc/log.cfg
Splunk will maintain 5 rotated copies of 25MB each of the audit.log, so the maximum will be 125MB.