auth.log very big because of zabbix messages
Hello.
On my Zabbix Server I am running Defender 365 (mdatp) security scanner. My auth.log grows very quickly in GB with the following entries.
Why ist that?
Any idea what unconfined key is?
How can I solve this?
I have debian 10 and zabbix 5.4.7
Thanks
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=41 success=yes exit=8 a0=2 a1=80802 a2=0 a3=55b3fe753180 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fa8ccb36914 a2=10 a3=55b3fe753180 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000035AC1001F60000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=41 success=yes exit=8 a0=2 a1=80001 a2=6 a3=2e73440468233f items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=55b3fe71f740 a2=10 a3=7 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000000000000000000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=42 success=no exit=-115 a0=8 a1=55b3fe7af530 a2=10 a3=3 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000599310C542F0000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[12035]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12035 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02002C8BC2191F440000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A2074726170706572202335205B70726F6365737365 64206461746120696E20302E303030303030207365632C2077 616974696E6720666F7220636F6E6E656374696F6E5D
Jun 24 11:15:00 zabfud03 audit[12033]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12033 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000A61C2191F440000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A2074726170706572202333205B70726F6365737365 64206461746120696E20302E303030303030207365632C2077 616974696E6720666F7220636F6E6E656374696F6E5D
Jun 24 11:15:00 zabfud03 audit[12034]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12034 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit[12031]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12031 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
On my Zabbix Server I am running Defender 365 (mdatp) security scanner. My auth.log grows very quickly in GB with the following entries.
Why ist that?
Any idea what unconfined key is?
How can I solve this?
I have debian 10 and zabbix 5.4.7
Thanks
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=41 success=yes exit=8 a0=2 a1=80802 a2=0 a3=55b3fe753180 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fa8ccb36914 a2=10 a3=55b3fe753180 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000035AC1001F60000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=41 success=yes exit=8 a0=2 a1=80001 a2=6 a3=2e73440468233f items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=55b3fe71f740 a2=10 a3=7 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000000000000000000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[11942]: SYSCALL arch=c000003e syscall=42 success=no exit=-115 a0=8 a1=55b3fe7af530 a2=10 a3=3 items=0 ppid=11885 pid=11942 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000599310C542F0000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A20706F6C6C657220233132205B676F742030207661 6C75657320696E20302E333536313932207365632C20676574 74696E672076616C7565735D
Jun 24 11:15:00 zabfud03 audit[12035]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12035 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02002C8BC2191F440000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A2074726170706572202335205B70726F6365737365 64206461746120696E20302E303030303030207365632C2077 616974696E6720666F7220636F6E6E656374696F6E5D
Jun 24 11:15:00 zabfud03 audit[12033]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12033 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit: SOCKADDR saddr=02000A61C2191F440000000000000000
Jun 24 11:15:00 zabfud03 audit: PROCTITLE proctitle=2F7573722F7362696E2F7A61626269785F736572 7665723A2074726170706572202333205B70726F6365737365 64206461746120696E20302E303030303030207365632C2077 616974696E6720666F7220636F6E6E656374696F6E5D
Jun 24 11:15:00 zabfud03 audit[12034]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12034 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Jun 24 11:15:00 zabfud03 audit[12031]: SYSCALL arch=c000003e syscall=43 success=yes exit=7 a0=4 a1=7fff39078950 a2=7fff390788cc a3=0 items=0 ppid=11885 pid=12031 auid=4294967295 uid=121 gid=128 euid=121 suid=121 fsuid=121 egid=128 sgid=128 fsgid=128 tty=(none) ses=4294967295 comm="zabbix_server" exe="/usr/sbin/zabbix_server" subj==unconfined key="mdatp"
Comment