Re: disabling audittrial logs in splunk

splunk_user_maj · ‎08-14-2020

How can I disable audittrial logs to get ingested in splunk?

ruman_splunk · ‎04-09-2023

Yes, you're right. Splunk does not monitor the audit logs with a file input. Instead Splunk sends audit events directly to the ingest queue.

This can be disabled in audit.conf. Please see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Auditconf for details.

isoutamo · ‎08-14-2020

If you rally want to do it, you must remove file monitor for $SPLUNK_HOME/var/log/splunk/audit.log files.

I'm not sure, but expecting that this could came back every time when you are updating your splunk instance?

r. Ismo

splunk_user_maj · ‎08-14-2020

But..this path is actually not being monitored..i also checked in the default configurations of splunk..its not being monitored...

isoutamo · ‎08-14-2020

Try to splunk list monitor in any of you splunk server and you see that it's there.

e.g in macOS:

splunk list monitor|egrep audit.log
/Applications/Splunk/var/log/splunk/audit.log
/Applications/Splunk/var/log/splunk/audit.log.1
/Applications/Splunk/var/log/splunk/audit.log.2
/Applications/Splunk/var/log/splunk/audit.log.3
/Applications/Splunk/var/log/splunk/audit.log.4
/Applications/Splunk/var/log/splunk/audit.log.5

It seems that there is no inputs.conf for it, but you could found that

egrep audit.log /Applications/Splunk/etc/log.cfg
# audit logs go a separate file
appender.audittrail.fileName=${SPLUNK_HOME}/var/log/splunk/audit.log

Personally I don't like to edit those files as it probably breaks splunk support if you ever need it.

If you really get rid of those events then probably better idea is to decrease retention time of this index?

r. Ismo

How can I disable audittrial logs to get ingested in Splunk?

configuration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases