I have one indexer and one forwarder. My Splunk Enterprise (Indexer) has the Linux Auditd app installed and I have my forwarder sending audit logs to an index that is using the linux auditd app on my My Splunk Enterprise. On my forwarder, I configured it to monitor the /var/log/audit/audit.log so my indexer would receive that data. So now I am wondering why TAlinux-auditd is installed with a inputs.conf file that is also configured to monitor /var/log/audit/audit.log? If my inputs.conf on my forwarder is use to specify which file to monitor, then what is the TAlinux-auditd's inputs.conf on my Splunk Enterprise used for. I hope that makes sense. I am very new to Splunk. If there are any resources out there that explain more about what the following .conf files are used for please let me know.
The one in the app is used to establish default values. You only need to copy the stanza header (the line that begins with
[ and ends with
] and the settings that go with it that you need to change (probably none, except for
disabled=1 which you need to change to
I am still confused as to why the app on my indexer would need default values. inputs.conf on my forwarder is set to monitor /var/log/audit/audit.log so it can forward that data to my indexer. If my indexer also has its own local/inputs.conf with default values, is that so I can monitor the /var/log/audit/audit.log file on my indexer and forward that data to another spunk instance if I had my topology setup that way?