On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote: > My auditd server is getting overwhelm by the logs that it is getting.
This is almost always means the rules are not properly tuned. > I've configured a remote audit logging via audisp-plugin. Earlier I > tried to reduce the amount of logs by optimizing the audit rules. But > we want to reduce it further. > Here's the list of things that I can think to reduce the overwhelming > of logs further: > 1. Increase kernel buffer for auditd from 20480 (current) to 99999. > 2. Increase the priority of auditd process. Currently 'priority_boost > = 10'. Default is 4. I don't know the maximum value (though I've seen > someone using 12). Can anyone tell me what's the maximum priority I > can give? Probably 19. This is dictated by the kernel. See the nice(1) command. > 3. Optimize the audit messages further: > a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from > being audited. This can be done with following rule (Thanks to > Steve!): > -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm > b. Exclude specific processes by their PIDs. This will be tricky as > we will need to keep track of PIDs incase of process > start/stop/restart etc. Yes, but you may be able to use the SE Linux label to prevent auditing of the process. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
