How do I exclude a directory from audit


Results 1 to 2 of 2

Thread: How do I exclude a directory from audit

  1. #1
    Join Date
    Mar 2005
    Location
    US
    Posts
    300

    How do I exclude a directory from audit

    Using audit to track system changes, with rules from the CIS security guidelines.

    This server also has Splunk running on it, this creates lots of changes that are reflected in the audit log files, so much so that the audit logs are being rotated every few minutes, causing several issue, one being that audit ceasing auditing while log files are being rotated.

    I thought it would be an easy job to exclude /u00/splunk/var (the source from where audit is generating the logs) by adding an exclude to audit.rules but I have tried several things all with zero success.

    I tried:
    -W never,exit -F path=/u00/splunk/var
    -w never,exit -F path=/u00/splunk/var
    -a never,exit -F path=/u00/splunk/var

    Any ideas?

  2. #2
    Join Date
    Mar 2005
    Location
    US
    Posts
    300
    Fixed it.

    I had to turn off immutable option by commenting out the (-e 2) at the bottom of audit.rules, then added to the top of the file:

    -W never,exclude -F path=/u00/splunk/var -k exclude

    ...and then rebooted, the reboot is must if you had the immutbale option set.

    Seems to be working.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •