This blog is going to do a quick walk through of setting up the centrifydc.conf file to reduce AUDIT_TRAIL trace events in the logs.
By the end of this guide you would be familiar with the process and steps to achieve this task. 

A few things before we moving forward:

• Q: What is AUDIT_TRAIL?
• A: It is a log for every action on the server. We can track security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files.

For more details about AUDIT_TRAIL event, please check our product documentation guide: centrify-audit-events-guide.pdf

Before we implement or modify anything, we will see a lot of AUDIT_TRAIL traces being generated in both centrifydc.log and messages log. See attached images below.

/var/log/messages


/var/log/centrifydc.log


In order to reduce to logging of INFO AUDIT_TRAIL, please follow the steps below to achieve the task.

STEP 1:
Check what is the logging level in the centrifydc.conf file. By default, it should be shown as INFO or DEBUG (only when you enable addebug on) level.



STEP 2:
Run grep "log.client.audittrail" /etc/centrifydc/centrifydc.conf in your Linux terminal.


Note: log.client.audittrail is an unshipped parameter, so you should not be see anything returned, just like the attached image above. 

STEP 3:
Add the log.client.audittrail parameter with value WARN in the centrifydc.conf file


STEP 4:
Save the file and run adreload command


STEP 5:
Use tail command to confirm if there are any AUDIT_TRAIL traces still showing in the log.

Before following required steps, it is easy to tail the AUDIT_TRAIL trace.



 After following the required steps, we will be able to see the tremendous improvement.

/var/log/centrifydc.log


/var/log/messages