/var is full due to large audit.log files in /var/log/audit on Security Analytics

book

Article ID: 168496

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The audit logs record each time a file is read or written or otherwise modified.  This can be a security requirement at a site.  This requirement is not typical.  Disabling audit logging will reduce the traffic to the primary operating system disks and reduce the possibilities of filling the /var filesystem.

Resolution

Update /etc/audit/audit.rules as root and restart auditd.  

Find the section similar to:

# /dev/shm/var/lib/solera
-A exit,never -F arch=b64 -F dir=/dev/shm/var/lib/solera

# /pfs
-A exit,never -F arch=b64 -F dir=/pfs


Add the following lines

# Exclude all files in /var/lib/solera
-A exit,never -F arch=b64 -F dir=/var/lib/solera


Restart auditd and syslog-ng with:

service auditd restart;service syslog-ng restart

 The /var/log/audit/audit.log will be rotated and start with an empty file.