All Apps and Add-ons

How to configure cloudwatch logs as an input for Linux Auditd app?

AcerDevops
New Member

Hi,

We have forwarded our audit.log files to cloudwatch logs as {hostname}/audit.log. For Linux Auditd (TA_linux-auditd) app we have configured inputs.conf as below

[monitor://*/audit.log]
disabled = false 
sourcetype = aws:cloudwatchlogs 

But i don't see any data getting updated in the Linux Auditd app.

Any suggestions.

0 Karma

wenthold
Communicator

You say the path to the logs is {hostname}/audit.log - is that under your root folder? As I understand it [monitor://*/audit.log] will only look for audit.log under the root folder or the first child of the root folder. Other than that does your system use selinux or some kind of protection like that? I would su as the Splunk user and tail the last 10 lines of the audit log to make sure the Splunk account has permissions to the log.

You could also grep for "audit.log" under $SPLUNK_HOME/var/log/splunk/splunkd.log and it might give you some idea about what's going on.

0 Karma

AcerDevops
New Member

I have audit.log in cloudwatch logs. Not on a machine. I would like to know if it is possible for Linux Auditd app to access the cloudwatch logs.

0 Karma

wenthold
Communicator

I'm sorry, I misunderstood the original question. I'm not that familiar with AWS, but it looks like you may have to use the HTTP event collector to retrieve the logs from AWS.

announcing-new-aws-lambda-blueprints-for-splunk
how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...