All Apps and Add-ons

Linux Auditd: How to override the default configurations for props.conf?

Explorer

When the Linux Auditd app is installed on a Splunk Enterprise (indexer), is the props.conf in the TA_linux-auditd/default/props.conf overriding anything by default? I am confused on how overriding works.

Splunk documentations says the following:

Note: If you forward data, and you want to assign a source type for a source, you must assign the source type in props.conf on the forwarder. If you do it in props.conf on the receiver, the override has no effect.

So if I have the Linux Auditd app installed on an indexer and I have a universal forwarder sending audit log data to my indexer, will any configuration I add in TA_linux-auditd/local be applied to data received from forwarders or data that my indexer itself is forwarding??

The NOTE above makes it sound like I need to install Linux Auditd app on my forwarder not just my indexer.

0 Karma

Esteemed Legend

The documentation is wrong. You should assign the sourcetype in inputs.conf on the forwarder (NOT in props.conf). Then don't bother overriding it at all.

0 Karma

Path Finder

First of all overriding works as per the files presedence order. In your case it will be index file precedence order.
1. Slave-app local directories (cluster peers only) -- highest priority
2. System local directory
3. App local directories
4. Slave-app default directories (cluster peers only)
5. App default directories
6. System default directory -- lowest priority

Hope this answers, if not then please rephrase ur question

0 Karma