We installed the Linux Auditd app, when we ran the config the auditd_indicies lookup found nothing and auditd_indicies.csv is empty. If we do a general search on our standalone search head and our cluster we see sourcetypes with linux:auditd? Has any one ran into this issue in the past?
We are on version 2.0.3
In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.
In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.
@brywilk_umich - Glad that you were able to find the help you needed via doksu, Splunk Support, and yourself. Please click "Accept" for this answer provided by doksu to close out your question and so it can be easily found by other users that have the same issue. Thank you.
The sourcetype should be 'linux:audit' not 'linux:auditd'. If you change the sourcetype of the events being ingested then run the 'Configure' dashboard again, the auditd_indicies lookup should populate correctly - however the field extractions won't work for the events already ingested with the wrong sourcetype.
As a workaround, you could add temporary local configs that duplicate all the linux:audit props for linux:auditd, and add 'OR sourcetype=linux:auditd' to the 'auditd_events' eventtype. Finally add linux:auditd to the auditd_sourcetypes lookup. I'm not recommending this suggested workaround because it isn't upgrade proof nor have I tested it, but it may help.
Sorry I had a typo, our sourcetype is in fact linux:audit not linux:auditd
is there any other suggestion you might have? Can I just manually populate the auditd_indicies.csv (I know not future proof) and I would need to disable the scheduled update.
thanks!
I think I found the issue, it looks like tstats isnt working correctly for us, Im going to be opening a case with splunk....thanks for the help!
Cool, would you be able to share the issue? I suspect it may be affecting other Splunk 6.5 users of the app.
Still working with support, when I get a answer Ill post here. thanks!
So turned out the the account used to run the configuration didnt have access to the index it needed.
Ah, I never thought about that - thanks I'll add that to the documentation.