How to configure the Linux Auditd app to consolida...

jcorkey · ‎07-14-2017

I have one indexer and one forwarder. My Splunk Enterprise (Indexer) has the Linux Auditd app installed and I have my forwarder sending audit logs to an index that is using the linux auditd app on my My Splunk Enterprise. On my forwarder, I configured it to monitor the /var/log/audit/audit.log so my indexer would receive that data. So now I am wondering why TA_linux-auditd is installed with a inputs.conf file that is also configured to monitor /var/log/audit/audit.log? If my inputs.conf on my forwarder is use to specify which file to monitor, then what is the TA_linux-auditd's inputs.conf on my Splunk Enterprise used for. I hope that makes sense. I am very new to Splunk. If there are any resources out there that explain more about what the following .conf files are used for please let me know.

app.conf
collections.conf
datamodels.conf
eventtypes.conf
inputs.conf
macros.conf
props.conf
savedsearches.conf
tags.conf
transforms.conf

woodcock · ‎07-14-2017

The one in the app is used to establish default values. You only need to copy the stanza header (the line that begins with [ and ends with ] and the settings that go with it that you need to change (probably none, except for disabled=1 which you need to change to disabled=0).

jcorkey · ‎07-17-2017

I am still confused as to why the app on my indexer would need default values. inputs.conf on my forwarder is set to monitor /var/log/audit/audit.log so it can forward that data to my indexer. If my indexer also has its own local/inputs.conf with default values, is that so I can monitor the /var/log/audit/audit.log file on my indexer and forward that data to another spunk instance if I had my topology setup that way?

How to configure the Linux Auditd app to consolidate data from a host?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM