Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I disable audittrial logs to get ingested in Splunk?

splunk_user_maj
Loves-to-Learn Lots
‎08-14-2020 06:48 AM

How can I disable audittrial logs to get ingested in splunk?

Labels (1)
Labels
0 Karma
Reply

ruman_splunk
Splunk Employee
Splunk Employee
‎04-09-2023 11:51 PM

Yes, you're right. Splunk does not monitor the audit logs with a file input. Instead Splunk sends audit events directly to the ingest queue.

This can be disabled in audit.conf. Please see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Auditconf for details.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 08:50 AM

If you rally want to do it, you must remove file monitor for $SPLUNK_HOME/var/log/splunk/audit.log files.

I'm not sure, but expecting that this could came back every time when you are updating your splunk instance?

r. Ismo

0 Karma
Reply

splunk_user_maj
Loves-to-Learn Lots
‎08-14-2020 09:03 AM

But..this path is actually not being monitored..i also checked in the default configurations of splunk..its not being monitored...

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 09:06 AM

Try to splunk list monitor in any of you splunk server and you see that it's there.

e.g in macOS:

splunk list monitor|egrep audit.log
/Applications/Splunk/var/log/splunk/audit.log
/Applications/Splunk/var/log/splunk/audit.log.1
/Applications/Splunk/var/log/splunk/audit.log.2
/Applications/Splunk/var/log/splunk/audit.log.3
/Applications/Splunk/var/log/splunk/audit.log.4
/Applications/Splunk/var/log/splunk/audit.log.5

It seems that there is no inputs.conf for it, but you could found that 

egrep audit.log /Applications/Splunk/etc/log.cfg
# audit logs go a separate file
appender.audittrail.fileName=${SPLUNK_HOME}/var/log/splunk/audit.log

Personally I don't like to edit those files as it probably breaks splunk support if you ever need it.

If you really get rid of those events then probably better idea is to decrease retention time of this index? 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...