On 2/28/23 09:31, Paul Moore wrote:
On Tue, Feb 28, 2023 at 10:35 AM Anurag Aggarwal
<anurag19aggarwal(a)gmail.com> wrote:
> Hello Paul,
>
> Thank you for your information.
>
>> If you have a particular audit
>> rule which is too verbose *and* you are willing to lose audit records
>> from that filter rule (which is what would happen if they were rate
>> limited), you might want to consider making that audit filter rule
>> more targeted to the event you are interested in logging. Generating
>> more audit records than you want to see can be a sign of an overly
>> general audit rule.
> I agree that having rules which are too verbose is not a very good idea.
>
> Beside this, is there any other mechanism which we can use to get a similar effect?
Nothing comes quickly to mind, perhaps others on the mailing list
might have some ideas ... ?
Not much else to offer above what Paul already replied. Maybe if we saw
your rule we could offer more.
What we do not know is - do you have any filtering criteria in mind not
covered by the available auditctl exclusions or do you just want to
"sample" randomly?
If the latter, why bother auditing this with a rule at all? You might be
able to remove the rule causing the events and do something in userspace
to audit only what you really want.
Without a bit more context on the events, rule and intent it is hard to
suggest alternatives. But in general, it is preferable to exclude as
much noise as possible in your collection to ensure you get only what is
required/desired in your audit logs.
LCB
--
Lenny Bruzenak
MagitekLTD