All Apps and Add-ons

How to configure the Linux Auditd app to consolidate data from a host?

jcorkey
Explorer

I have one indexer and one forwarder. My Splunk Enterprise (Indexer) has the Linux Auditd app installed and I have my forwarder sending audit logs to an index that is using the linux auditd app on my My Splunk Enterprise. On my forwarder, I configured it to monitor the /var/log/audit/audit.log so my indexer would receive that data. So now I am wondering why TA_linux-auditd is installed with a inputs.conf file that is also configured to monitor /var/log/audit/audit.log? If my inputs.conf on my forwarder is use to specify which file to monitor, then what is the TA_linux-auditd's inputs.conf on my Splunk Enterprise used for. I hope that makes sense. I am very new to Splunk. If there are any resources out there that explain more about what the following .conf files are used for please let me know.

app.conf
collections.conf
datamodels.conf
eventtypes.conf
inputs.conf
macros.conf
props.conf
savedsearches.conf
tags.conf
transforms.conf

0 Karma

woodcock
Esteemed Legend

The one in the app is used to establish default values. You only need to copy the stanza header (the line that begins with [ and ends with ] and the settings that go with it that you need to change (probably none, except for disabled=1 which you need to change to disabled=0).

0 Karma

jcorkey
Explorer

I am still confused as to why the app on my indexer would need default values. inputs.conf on my forwarder is set to monitor /var/log/audit/audit.log so it can forward that data to my indexer. If my indexer also has its own local/inputs.conf with default values, is that so I can monitor the /var/log/audit/audit.log file on my indexer and forward that data to another spunk instance if I had my topology setup that way?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...