Re: Systemd Journald and audit logging causing journal issues

On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote: > So now you have to comment out a rule at a time and watch for > usage/count to fall? Well, I am certain that commenting out that rule will drop the count. But the question more is why is that rule being triggered. One thing you could do is post the rule to the mail list if you think it might be formed wrong. But you might also want to see whay its being triggered by doing something like ausearch --start today -k perm_mod --raw | aureport --summary --file -i ausearch --start today -k perm_mod --raw | aureport --summary -x -i ausearch --start today -k perm_mod --raw | aureport --summary --syscall -i > Also if I wanted to grep and compare those numbers and alert with an > email what would be the magic number to threshold with in a gt statement > (500, 1000, etc.)? That's a bit harder. You'd want a sliding window of time. Assuming your cron job runs once an hour and a US locale, you'd do something like this: aureport --start `date -d '1 hour ago' "+%m/%d/%Y %H:%M:%S"` --key --summary --input-logs I don't know what the best threshold would be because its workload dependent. If you wanted to see things visualized, I'd try playing with the data in R. http://security-plus-data-science.blogspot.com/2017/03/bar-charts.html http://security-plus-data-science.blogspot.com/2017/03/heatmaps.html That assumes you have a recent audit package (2.7 or higher) and RStudio. -Steve