All Apps and Add-ons
Highlighted

How to configure the Linux Auditd app to consolidate data from a host?

Explorer

I have one indexer and one forwarder. My Splunk Enterprise (Indexer) has the Linux Auditd app installed and I have my forwarder sending audit logs to an index that is using the linux auditd app on my My Splunk Enterprise. On my forwarder, I configured it to monitor the /var/log/audit/audit.log so my indexer would receive that data. So now I am wondering why TAlinux-auditd is installed with a inputs.conf file that is also configured to monitor /var/log/audit/audit.log? If my inputs.conf on my forwarder is use to specify which file to monitor, then what is the TAlinux-auditd's inputs.conf on my Splunk Enterprise used for. I hope that makes sense. I am very new to Splunk. If there are any resources out there that explain more about what the following .conf files are used for please let me know.

app.conf
collections.conf
datamodels.conf
eventtypes.conf
inputs.conf
macros.conf
props.conf
savedsearches.conf
tags.conf
transforms.conf

0 Karma
Highlighted

Re: How to configure the Linux Auditd app to consolidate data from a host?

Esteemed Legend

The one in the app is used to establish default values. You only need to copy the stanza header (the line that begins with [ and ends with ] and the settings that go with it that you need to change (probably none, except for disabled=1 which you need to change to disabled=0).

0 Karma
Highlighted

Re: How to configure the Linux Auditd app to consolidate data from a host?

Explorer

I am still confused as to why the app on my indexer would need default values. inputs.conf on my forwarder is set to monitor /var/log/audit/audit.log so it can forward that data to my indexer. If my indexer also has its own local/inputs.conf with default values, is that so I can monitor the /var/log/audit/audit.log file on my indexer and forward that data to another spunk instance if I had my topology setup that way?

0 Karma