All Apps and Add-ons

Collect linux audit logs on windows splunk server

Engager

I currently have the Windows security operations center installed on a windows 2008 R2 server. I would like to capture audit logs from a linux machine and integrate this into the splunk enterprise server to review the logs.

I am collecting logs to be compliant with DIACAP. I tried using the universal forwarder for linux and attempting writing my own app (nav, views, eventypes, etc) and was quickly overwhelmed.

Can someone recoommend the appropriate app to collect audit logs from a linux machine and display them on a windows indexer (splunk enterprise)?

Thank you.

Also, is there any service out there that I can pay to have a custom application built specifically to meet the requirements of DIACAP for auditing windows and linux?

0 Karma

Engager

I am trying to collect remote windows and linux logs and display them in the FISMA app.

I have 1 slunk server running windows 2008R2 and splunk 6.

I have 1 windows 7 machine and 1 RHEL 5.8 machine.

I installed splunk enterprise on the splunk server What else do I install on the splunk server to grab logs from remote windows and linux machines to analyse audit logs?

what do I install on the remote machines?

universal forwarder for windows on the windows machines and universal forwarder for linux on the linux machines?

how does the data get polulated into the FISMA app?

0 Karma

Engager

I didnt think I could install the unix app on a windows server. I only have 1 Splunk enterprise install on a windows 2008 R2 machine running as the search head and indexer.

I have forwarders for linux and other windows machines. You are right, the compliance aspect is a result of parsing the logs for the information i need and presenting the data.

I will give it a shot, I might look into getting a custom app written that has all the views, searches, etc ready to go.

V/R

0 Karma

Engager

thanks to everyone who is helping, you all are a tremendous resource.

0 Karma

Splunk Employee
Splunk Employee

warnerd, you can definitely run the *Nix app on Splunk for Windows. As jcoates mentions, install your forwarders and TAs (also referred to as Add-ons) on the remote system. Install the full app on your Splunk Search Head (your Windows 2008R2 machine).

Splunk Employee
Splunk Employee

I don't know that you actually need the Unix app for the use case... TAs and CIM should be all you need.

0 Karma

Super Champion

You don't need an app to comply with DIACAP. The Unix app on the indexer, and Unix TA on the forwarder will allow you collect and view Unix information on your Windows indexer for Splunk 5x or 6x. You will probably find that much of your DIACAP compliance will be from custom searches, reports, and alerts.

0 Karma

Splunk Employee
Splunk Employee

Hi,

Are you using Splunk 6? You should be able to install the Unix TA, the Windows TA, and the CIM, then use Search-> Pivot to produce the reports that you want.