Workaround for the Known Linux Limitation with auditd

There is a known Linux issue where the default auditd process only allows one connection for audit socket control. As a result, any applications that use auditd conflict with the F5 Distributed Cloud App Infrastructure Protection (AIP) Agent over access to socket control. This can cause customer issues for several reasons:

  • The customer uses non-Distributed Cloud AIP audit rules to process logs.
  • The customer sends all logs to an SIEM or other log aggregator.
  • The customer deploys non-Distributed Cloud AIP agents that need access to auditd data.


Enable raw_log for the Distributed Cloud AIP Agent. The raw_log outputs all logging from tsauditd to log files. Those log files are then stored in two locations:

  • Distributed Cloud AIP tsaudit.log
  • The OS's defined auditd log in /var/log/, through which all other applications can access auditd data, thus preventing the audit socket control conflict.


tsauditd logs contain far more information than the standard tsaudit logs.

Agent 3.x and 2.x Series

To enable raw_log for the Distributed Cloud AIP Agent 3.x and 2.x:

  1. Navigate to /opt/threatstack/etc/.
  2. Locate the tsauditd-custom.cfg file. If the file does not exist, then you need to create one.
    • Copy the contents of the tsauditd.cfg file into a newly-created tsauditd-custom.cfg file.
  3. In your text editor of choice, open the tsauditd-custom.cfg file.
  4. Add the "raw_log" field at the same depth as filter, nnsleep, and noop. Its value is as follows:

    For an example, see below.

  5. Restart the Distributed Cloud AIP Agent with the following command:
    sudo systemctl restart threatstack
  6. On the OS, disable auditd.
  7. Point any application that needs access to auditd data to the raw event stream, in this case /opt/threatstack/log/tsaudit-raw.log. This prevents non-Distributed Cloud AIP applications from subscribing to the audit socket and causing conflicts with the Distributed Cloud AIP Agent.

Example of raw_log enabled for the Distributed Cloud AIP Agent:


"threatstack": {

"auditd": {

"extra-netinfo": false,

"max-eoe-flush": 100,

"noop": 3,

"nnsleep": 1,


"filter": "/opt/threatstack/etc/tsauditd.lua",

"cpumon": {

"max_rlim": 50000,

"min_rlim": 1000,

"inc-by": 300,

"dec-by": 50,

"ival-sec": 1,

"ival-usec": 0,

"avg-after": 5,

"max-cpu": 40,

"enabled": true },
"processors": [

"output": {

"config": {},

"type": "stdout",

"enable-noop": true




Was this article helpful?
0 out of 0 found this helpful