All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure cloudwatch logs as an input for Linux Auditd app?

AcerDevops
New Member
‎07-19-2017 07:35 PM

Hi,

We have forwarded our audit.log files to cloudwatch logs as {hostname}/audit.log. For Linux Auditd (TA_linux-auditd) app we have configured inputs.conf as below

[monitor://*/audit.log]
disabled = false 
sourcetype = aws:cloudwatchlogs

But i don't see any data getting updated in the Linux Auditd app.

Any suggestions.

0 Karma
Reply

wenthold
Communicator
‎07-20-2017 05:53 AM

You say the path to the logs is {hostname}/audit.log - is that under your root folder? As I understand it [monitor://*/audit.log] will only look for audit.log under the root folder or the first child of the root folder. Other than that does your system use selinux or some kind of protection like that? I would su as the Splunk user and tail the last 10 lines of the audit log to make sure the Splunk account has permissions to the log.

You could also grep for "audit.log" under $SPLUNK_HOME/var/log/splunk/splunkd.log and it might give you some idea about what's going on.

0 Karma
Reply

AcerDevops
New Member
‎07-20-2017 06:31 PM

I have audit.log in cloudwatch logs. Not on a machine. I would like to know if it is possible for Linux Auditd app to access the cloudwatch logs.

0 Karma
Reply

wenthold
Communicator
‎07-21-2017 06:49 AM

I'm sorry, I misunderstood the original question. I'm not that familiar with AWS, but it looks like you may have to use the HTTP event collector to retrieve the logs from AWS.

announcing-new-aws-lambda-blueprints-for-splunk
how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...