topic Re: Can audit.log be forwarded to another index? in Getting Data In

Can audit.log be forwarded to another index?

nmouli — Fri, 03 Jun 2016 07:12:07 GMT

Hello There

I'm trying to index a few Splunk internal logs like splunkd, metrics, web*, audit, etc under /var/log/splunk to another index, however, all the logs are populating in the other index except audit.log

please suggest..

Many Thanks!

Re: Can audit.log be forwarded to another index?

nmouli — Wed, 11 Jan 2017 18:52:06 GMT

I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
Thanks.

Re: Can audit.log be forwarded to another index?

inventsekar — Wed, 11 Jan 2017 19:15:20 GMT

Not sure, but, Just a thought, the audit, splunkd logs may be already indexed thru splunk's own internal indexes, isn't ?!?!

Re: Can audit.log be forwarded to another index?

nmouli — Wed, 11 Jan 2017 19:29:39 GMT

Yes, however I'd like to send many UF internal logs to other existing index rather than Splunk own internal index to develop a customized app.