On 2/28/23 09:31, Paul Moore wrote:
On Tue, Feb 28, 2023 at 10:35 AM Anurag Aggarwal
<anurag19aggar...@gmail.com> wrote:
Hello Paul,
Thank you for your information.
If you have a particular audit
rule which is too verbose *and* you are willing to lose audit records
from that filter rule (which is what would happen if they were rate
limited), you might want to consider making that audit filter rule
more targeted to the event you are interested in logging. Generating
more audit records than you want to see can be a sign of an overly
general audit rule.
I agree that having rules which are too verbose is not a very good idea.
Beside this, is there any other mechanism which we can use to get a similar
effect?
Nothing comes quickly to mind, perhaps others on the mailing list
might have some ideas ... ?
Not much else to offer above what Paul already replied. Maybe if we saw
your rule we could offer more.
What we do not know is - do you have any filtering criteria in mind not
covered by the available auditctl exclusions or do you just want to
"sample" randomly?
If the latter, why bother auditing this with a rule at all? You might be
able to remove the rule causing the events and do something in userspace
to audit only what you really want.
Without a bit more context on the events, rule and intent it is hard to
suggest alternatives. But in general, it is preferable to exclude as
much noise as possible in your collection to ensure you get only what is
required/desired in your audit logs.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
