Distributed Cloud AIP Linux Agent and auditd

In order for the Linux Agent to collect audit activity on a Linux host, you need to disable the default auditd process that is often enabled on Linux distributions.

The Linux Agent was designed to replace auditd and assume the same netlink socket that auditd uses in order to read from the kernel audit subsystem. Disabling auditd will not leave gaps in your security posture.

The Linux Agent captures the exact same data as the default auditd process. Distributed Cloud AIP re-formats the data into JSON, which is what you see in your organization's event stream. Distributed Cloud AIP also provides enhancements in addition to capturing the same data, such as improved performance and lua filtering.

Should you have any question or concerns, please contact the Distributed Cloud AIP Support team: aipsupport@f5.com.

Was this article helpful?
0 out of 0 found this helpful