I currently have the Windows security operations center installed on a windows 2008 R2 server. I would like to capture audit logs from a linux machine and integrate this into the splunk enterprise server to review the logs.
I am collecting logs to be compliant with DIACAP. I tried using the universal forwarder for linux and attempting writing my own app (nav, views, eventypes, etc) and was quickly overwhelmed.
Can someone recoommend the appropriate app to collect audit logs from a linux machine and display them on a windows indexer (splunk enterprise)?
Also, is there any service out there that I can pay to have a custom application built specifically to meet the requirements of DIACAP for auditing windows and linux?
I am trying to collect remote windows and linux logs and display them in the FISMA app.
I have 1 slunk server running windows 2008R2 and splunk 6.
I have 1 windows 7 machine and 1 RHEL 5.8 machine.
I installed splunk enterprise on the splunk server What else do I install on the splunk server to grab logs from remote windows and linux machines to analyse audit logs?
what do I install on the remote machines?
universal forwarder for windows on the windows machines and universal forwarder for linux on the linux machines?
how does the data get polulated into the FISMA app?
I didnt think I could install the unix app on a windows server. I only have 1 Splunk enterprise install on a windows 2008 R2 machine running as the search head and indexer.
I have forwarders for linux and other windows machines. You are right, the compliance aspect is a result of parsing the logs for the information i need and presenting the data.
I will give it a shot, I might look into getting a custom app written that has all the views, searches, etc ready to go.
warnerd, you can definitely run the *Nix app on Splunk for Windows. As jcoates mentions, install your forwarders and TAs (also referred to as Add-ons) on the remote system. Install the full app on your Splunk Search Head (your Windows 2008R2 machine).
You don't need an app to comply with DIACAP. The Unix app on the indexer, and Unix TA on the forwarder will allow you collect and view Unix information on your Windows indexer for Splunk 5x or 6x. You will probably find that much of your DIACAP compliance will be from custom searches, reports, and alerts.