Troubleshoot: Distributed Cloud AIP Agent and journald

Issue

The F5 Distributed Cloud App Infrastructure Protection (AIP) host-based Agent may capture excessive audit events when the journald service configuration monitors the operating system’s (OS’s) audit socket. The Distributed Cloud AIP Agent also watches the audit socket of the OS, leading to a redundancy.

Important

The CoreOS OS includes this journald configuration by default, and this configuration can be enabled on other Linux OSs.

Resolution

Mask the audit socket from journald. The mask reduces both noise and load on your Linux host.

To mask the audit socket from journald, use the following commands:

$ sudo systemctl mask systemd-journald-audit.socket
$ sudo systemctl restart systemd-journald

This replaces the systemd unit file with a link to `/dev/null`. It completely removes audit output into journald.

Once the journald has been restarted, restart the Agent.

To restart the Agent, run the following command:

$ sudo systemctl restart threatstack

To verify whether or not the journald configuration monitors the audit socket, run the following command:

ls -l /etc/systemd/system/systemd-journald-audit.socket

If the link within the file is set to ‘/dev/null/’, then journald does not monitor the audit socket.

Was this article helpful?
0 out of 0 found this helpful