The Threat Stack host-based Agent may capture excessive audit events when the journald service configuration monitors the operating system’s (OS’s) audit socket. The Threat Stack Agent also watches the audit socket of the OS, leading to a redundancy.
The CoreOS OS includes this journald configuration by default, and this configuration can be enabled on other Linux OSs.
Mask the audit socket from journald. The mask reduces both noise and load on your Linux host.
To mask the audit socket from journald, use the following commands:
$ sudo systemctl mask systemd-journald-audit.socket $ sudo systemctl restart systemd-journald
This replaces the systemd unit file with a link to `/dev/null`. It completely removes audit output into journald.
Once the journald has been restarted, restart the Agent.
To restart the Agent, run the following command:
$ sudo systemctl restart threatstack-agent
To verify whether or not the journald configuration monitors the audit socket, run the following command:
ls -l /etc/systemd/system/systemd-journald-audit.socket
If the link within the file is set to ‘/dev/null/’, then journald does not monitor the audit socket.