we are sawing weird issue, we are using auditbeat as pod running on our kubenets cluster, however in some day, we saw there is a large audit events has been write to our work node /var/log/message, and i can confirm auditd service has been disable on the work node. so anything reason happen on this ? thanks for help
journald can receive audit events over multicast and log them. You can disable it with systemctl mask systemd-journald-audit.socket.
The kernel has a feature to optionally write messages using printk. You can control this with Auditbeat by adding failure_mode: silent (see docs). You can check the value with auditctl -s (from auditd) or auditbeat show auditd-status.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.