All Apps and Add-ons
Highlighted

How to configure cloudwatch logs as an input for Linux Auditd app?

New Member

Hi,

We have forwarded our audit.log files to cloudwatch logs as {hostname}/audit.log. For Linux Auditd (TA_linux-auditd) app we have configured inputs.conf as below

[monitor://*/audit.log]
disabled = false 
sourcetype = aws:cloudwatchlogs 

But i don't see any data getting updated in the Linux Auditd app.

Any suggestions.

0 Karma
Highlighted

Re: How to configure cloudwatch logs as an input for Linux Auditd app?

Communicator

You say the path to the logs is {hostname}/audit.log - is that under your root folder? As I understand it [monitor://*/audit.log] will only look for audit.log under the root folder or the first child of the root folder. Other than that does your system use selinux or some kind of protection like that? I would su as the Splunk user and tail the last 10 lines of the audit log to make sure the Splunk account has permissions to the log.

You could also grep for "audit.log" under $SPLUNK_HOME/var/log/splunk/splunkd.log and it might give you some idea about what's going on.

0 Karma
Highlighted

Re: How to configure cloudwatch logs as an input for Linux Auditd app?

New Member

I have audit.log in cloudwatch logs. Not on a machine. I would like to know if it is possible for Linux Auditd app to access the cloudwatch logs.

0 Karma
Highlighted

Re: How to configure cloudwatch logs as an input for Linux Auditd app?

Communicator

I'm sorry, I misunderstood the original question. I'm not that familiar with AWS, but it looks like you may have to use the HTTP event collector to retrieve the logs from AWS.

announcing-new-aws-lambda-blueprints-for-splunk
how-to-easily-stream-aws-cloudwatch-logs-to-splunk.html

0 Karma