I am using a 3rd party logging service (LogDNA) to centralise my server logs, but the agent installed on the server is actually causing the generation of additional and unnecessary logs.
My audit policy includes the line:
-w /var/log/audit -p rwxa -k auditlog
which monitors for any activity on any files in the /var/log/audit directory. The agent reads the files approximately once every second, causing 4 lines to be written to the log:
type=SYSCALL msg=audit(1571391173.197:314775): arch=c000003e syscall=257 success=yes exit=13 a0=ffffff9c a1=3453780 a2=80000 a3=0 items=1 ppid=1 pid=16253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logdna-agent" exe="/usr/bin/logdna-agent" key="auditlog"
type=CWD msg=audit(1571391173.197:314775): cwd="/"
type=PATH msg=audit(1571391173.197:314775): item=0 name="/var/log/audit/audit.log" inode=49 dev=07:03 mode=0100640 ouid=0 ogid=4 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1571391173.197:314775): proctitle="logdna-agent"
This drastically increases the volume of logs per server that I am ingesting, with obvious added cost.
The question is, can I specify in the audit policy to ignore reads from a specific process?
I am running Ubuntu 18.04.
NB. LogDNA does offer filtering on its side, but realistically this could only be done for the 2 lines which specify log-dna.
