Troubleshooting: Threat Stack Agent and journald


Issue:

The Threat Stack host-based Agent may capture excessive audit events when the journald service configuration monitors the operating system’s (OS’s) audit socket. The Threat Stack Agent also watches the audit socket of the OS, leading to a redundancy.

Important

The CoreOS OS includes this journald configuration by default, and this configuration can be enabled on other Linux OSs.

Resolution:

Mask the audit socket from journald. The mask reduces both noise and load on your Linux host.

To mask the audit socket from journald, use the following commands:

$ sudo systemctl mask systemd-journald-audit.socket
$ sudo systemctl restart systemd-journald

This replaces the systemd unit file with a link to `/dev/null`. It completely removes audit output into journald.

Once the journald has been restarted, restart the Agent.

To restart the Agent, run the following command:

$ sudo systemctl restart threatstack-agent

To verify whether or not the journald configuration monitors the audit socket, run the following command:

ls -l /etc/systemd/system/systemd-journald-audit.socket

If the link within the file is set to ‘/dev/null/’, then journald does not monitor the audit socket.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request