Re: How to configure cloudwatch logs as an input f...

AcerDevops · ‎07-19-2017

Hi,

We have forwarded our audit.log files to cloudwatch logs as {hostname}/audit.log. For Linux Auditd (TA_linux-auditd) app we have configured inputs.conf as below

[monitor://*/audit.log]
disabled = false 
sourcetype = aws:cloudwatchlogs

But i don't see any data getting updated in the Linux Auditd app.

Any suggestions.

wenthold · ‎07-20-2017

You say the path to the logs is {hostname}/audit.log - is that under your root folder? As I understand it [monitor://*/audit.log] will only look for audit.log under the root folder or the first child of the root folder. Other than that does your system use selinux or some kind of protection like that? I would su as the Splunk user and tail the last 10 lines of the audit log to make sure the Splunk account has permissions to the log.

You could also grep for "audit.log" under $SPLUNK_HOME/var/log/splunk/splunkd.log and it might give you some idea about what's going on.

AcerDevops · ‎07-20-2017

I have audit.log in cloudwatch logs. Not on a machine. I would like to know if it is possible for Linux Auditd app to access the cloudwatch logs.

wenthold · ‎07-21-2017

I'm sorry, I misunderstood the original question. I'm not that familiar with AWS, but it looks like you may have to use the HTTP event collector to retrieve the logs from AWS.

announcing-new-aws-lambda-blueprints-for-splunk
how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html

How to configure cloudwatch logs as an input for Linux Auditd app?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?