Auditbeat logs write to /var/log/messages

hi guys,

we are sawing weird issue, we are using auditbeat as pod running on our kubenets cluster, however in some day, we saw there is a large audit events has been write to our work node /var/log/message, and i can confirm auditd service has been disable on the work node. so anything reason happen on this ? thanks for help

a lot auditd events write in /var/log/messages in short time

Sep  7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F6E657464002D2D64697361626C652D746573736E65742D66696E616C697A65723D74727565002D2D636F6E6669673D2F6D6E742F6970616D2D636F6E6669672F636F6E6669672E6A736F6E002D2D656E61626C652D746C626D656D6265722D636F6E74726F6C6C65723D74727565002D2D746C626D656D6265722D776F726B
Sep  7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F61646D697373696F6E2D736572766572002D2D61757468656E7469636174696F6E2D6B756265636F6E6669673D2F6574632F6170697365727665722F6167672D6B756265636F6E666967002D2D61757468656E7469636174696F6E2D736B69702D6C6F6F6B75703D74727565002D2D617574686F72697A6174696F6E2D6B75

I can think of a two things to check.

  1. journald can receive audit events over multicast and log them. You can disable it with systemctl mask systemd-journald-audit.socket.

  2. The kernel has a feature to optionally write messages using printk. You can control this with Auditbeat by adding failure_mode: silent (see docs). You can check the value with auditctl -s (from auditd) or auditbeat show auditd-status.

thanks andrewkroh, let me try that