I am still having trouble to disable audit logs. You can find the btool commands output below. Do you have any idea why am I still getting the audit logs?
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf [syslog]
/opt/splunk/etc/system/local/outputs.conf defaultGroup = syslogG roup
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.0.white list = .*
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.1.black list = _.*
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.filter. disable = false
/opt/splunk/etc/system/default/outputs.conf maxEventSize = 1024
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf maxQueueSize = 500KB
/opt/splunk/etc/system/default/outputs.conf priority = <13>
/opt/splunk/etc/system/default/outputs.conf type = udp
/opt/splunk/etc/system/local/outputs.conf [syslog:syslogGroup]
/opt/splunk/etc/system/local/outputs.conf sendCookedData = false
/opt/splunk/etc/system/local/outputs.conf server = 10.19.1.158:1 514
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf [tcpout]
/opt/splunk/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30
/opt/splunk/etc/system/default/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/default/outputs.conf autoLBVolume = 0
/opt/splunk/etc/system/default/outputs.conf blockOnCloning = true
/opt/splunk/etc/system/default/outputs.conf blockWarnThreshold = 1 00
/opt/splunk/etc/system/default/outputs.conf cipherSuite = ECDHE-EC DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:EC DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA 256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH -ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256
/opt/splunk/etc/system/default/outputs.conf compressed = false
/opt/splunk/etc/system/default/outputs.conf connectionTimeout = 20
/opt/splunk/etc/system/local/outputs.conf defaultGroup = default -autolb-group
/opt/splunk/etc/system/default/outputs.conf disabled = false
/opt/splunk/etc/system/default/outputs.conf dropClonedEventsOnQueu eFull = 5
/opt/splunk/etc/system/default/outputs.conf dropEventsOnQueueFull = -1
/opt/splunk/etc/system/default/outputs.conf ecdhCurves = prime256v 1, secp384r1, secp521r1
/opt/splunk/etc/system/default/outputs.conf forceTimebasedAutoLB = false
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.0.white list = .*
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.1.black list = _.*
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf forwardedindex.filter. disable = false
/opt/splunk/etc/system/default/outputs.conf heartbeatFrequency = 3 0
/opt/splunk/etc/system/local/outputs.conf indexAndForward = 1
/opt/splunk/etc/system/default/outputs.conf maxConnectionsPerIndex er = 2
/opt/splunk/etc/system/default/outputs.conf maxFailuresPerInterval = 2
/opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf maxQueueSize = 500KB
/opt/splunk/etc/system/default/outputs.conf readTimeout = 300
/opt/splunk/etc/system/default/outputs.conf secsInFailureInterval = 1
/opt/splunk/etc/system/default/outputs.conf sendCookedData = true
/opt/splunk/etc/system/default/outputs.conf sslQuietShutdown = fal se
/opt/splunk/etc/system/default/outputs.conf sslVersions = tls1.2
/opt/splunk/etc/system/default/outputs.conf tcpSendBufSz = 0
/opt/splunk/etc/system/default/outputs.conf useACK = false
/opt/splunk/etc/system/default/outputs.conf writeTimeout = 300
/opt/splunk/etc/system/local/outputs.conf [tcpout-server://10.19 .1.158:514]
/opt/splunk/etc/system/local/outputs.conf [tcpout:default-autolb -group]
/opt/splunk/etc/system/local/outputs.conf disabled = false
/opt/splunk/etc/system/local/outputs.conf sendCookedData = false
/opt/splunk/etc/system/local/outputs.conf server = 10.19.1.158:5 14
... View more