I am showing that Zabbix Agent is hammering my AuditD logs. I am being asked to check the frequency of my checks, but I am seeing nothing that would account for the frequency I am seeing. The most frequent check I am seeing is every 30 seconds, and that is uptime.
I am showing in my conf file that both active and passive checks are configured. Could that explain why I am getting hammered so hard?
root@host:~ $ sudo ausearch -i | grep -i -e "mdatp"
...
type=SYSCALL msg=audit(05/02/2022 14:22:45.172:31198302) : arch=x86_64 syscall=accept success=yes exit=6 a0=0x4 a1=0x7fffd567be40 a2=0x7fffd567bdbc a3=0x0 items=0 ppid=2077 pid=2082 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=mdatp
root@host:~ $ sudo ls -lh /var/log/audit/
total 193M
-rw-------. 1 root root 2.7M May 2 14:26 audit.log
-r--------. 1 root root 11M May 2 14:05 audit.log.1
-r--------. 1 root root 11M May 2 03:34 audit.log.10
-r--------. 1 root root 11M May 2 02:16 audit.log.11
-r--------. 1 root root 11M May 2 01:10 audit.log.12
-r--------. 1 root root 11M May 1 23:55 audit.log.13
-r--------. 1 root root 11M May 1 22:49 audit.log.14
-r--------. 1 root root 11M May 1 21:33 audit.log.15
-r--------. 1 root root 11M May 1 20:17 audit.log.16
-r--------. 1 root root 11M May 1 19:09 audit.log.17
-r--------. 1 root root 11M May 1 17:52 audit.log.18
-r--------. 1 root root 11M May 1 16:35 audit.log.19
-r--------. 1 root root 11M May 2 13:02 audit.log.2
-r--------. 1 root root 11M May 2 11:48 audit.log.3
-r--------. 1 root root 11M May 2 10:44 audit.log.4
-r--------. 1 root root 11M May 2 09:29 audit.log.5
-r--------. 1 root root 11M May 2 08:14 audit.log.6
-r--------. 1 root root 11M May 2 07:07 audit.log.7
-r--------. 1 root root 11M May 2 05:51 audit.log.8
-r--------. 1 root root 11M May 2 04:37 audit.log.9
I am showing in my conf file that both active and passive checks are configured. Could that explain why I am getting hammered so hard?
root@host:~ $ sudo ausearch -i | grep -i -e "mdatp"
...
type=SYSCALL msg=audit(05/02/2022 14:22:45.172:31198302) : arch=x86_64 syscall=accept success=yes exit=6 a0=0x4 a1=0x7fffd567be40 a2=0x7fffd567bdbc a3=0x0 items=0 ppid=2077 pid=2082 auid=unset uid=zabbix gid=zabbix euid=zabbix suid=zabbix fsuid=zabbix egid=zabbix sgid=zabbix fsgid=zabbix tty=(none) ses=unset comm=zabbix_agentd exe=/usr/sbin/zabbix_agentd subj=system_u:system_r:zabbix_agent_t:s0 key=mdatp
root@host:~ $ sudo ls -lh /var/log/audit/
total 193M
-rw-------. 1 root root 2.7M May 2 14:26 audit.log
-r--------. 1 root root 11M May 2 14:05 audit.log.1
-r--------. 1 root root 11M May 2 03:34 audit.log.10
-r--------. 1 root root 11M May 2 02:16 audit.log.11
-r--------. 1 root root 11M May 2 01:10 audit.log.12
-r--------. 1 root root 11M May 1 23:55 audit.log.13
-r--------. 1 root root 11M May 1 22:49 audit.log.14
-r--------. 1 root root 11M May 1 21:33 audit.log.15
-r--------. 1 root root 11M May 1 20:17 audit.log.16
-r--------. 1 root root 11M May 1 19:09 audit.log.17
-r--------. 1 root root 11M May 1 17:52 audit.log.18
-r--------. 1 root root 11M May 1 16:35 audit.log.19
-r--------. 1 root root 11M May 2 13:02 audit.log.2
-r--------. 1 root root 11M May 2 11:48 audit.log.3
-r--------. 1 root root 11M May 2 10:44 audit.log.4
-r--------. 1 root root 11M May 2 09:29 audit.log.5
-r--------. 1 root root 11M May 2 08:14 audit.log.6
-r--------. 1 root root 11M May 2 07:07 audit.log.7
-r--------. 1 root root 11M May 2 05:51 audit.log.8
-r--------. 1 root root 11M May 2 04:37 audit.log.9
Comment