Revising my question... I wasn't clear on this at all
I have Splunk forwarding agent already installed on my gateways. I'm looking for the configuration to ONLY log to the default log file. I already have Splunk ingesting my gateway logs and I want to avoid the DB hits.
In Policy Manager, I only see the option in Manage Audit Sinks to send to DB, Sink, or both. However, I have to choose one. If writing to the log is done by default, why is a Sink needed?
If it is needed, how should it be configured so that it becomes a No-Op? Is the intent to have this set up as a "global" audit? I'm okay with that if it is... Could someone please clarify for me?