All Apps and Add-ons

Linux Auditd: Why is the auditd_indicies.csv not populating?

brywilk_umich
Path Finder

We installed the Linux Auditd app, when we ran the config the auditd_indicies lookup found nothing and auditd_indicies.csv is empty. If we do a general search on our standalone search head and our cluster we see sourcetypes with linux:auditd? Has any one ran into this issue in the past?

We are on version 2.0.3

Tags (3)
0 Karma
1 Solution

doksu
SplunkTrust
SplunkTrust

In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.

View solution in original post

doksu
SplunkTrust
SplunkTrust

In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@brywilk_umich - Glad that you were able to find the help you needed via doksu, Splunk Support, and yourself. Please click "Accept" for this answer provided by doksu to close out your question and so it can be easily found by other users that have the same issue. Thank you.

0 Karma

doksu
SplunkTrust
SplunkTrust

The sourcetype should be 'linux:audit' not 'linux:auditd'. If you change the sourcetype of the events being ingested then run the 'Configure' dashboard again, the auditd_indicies lookup should populate correctly - however the field extractions won't work for the events already ingested with the wrong sourcetype.

As a workaround, you could add temporary local configs that duplicate all the linux:audit props for linux:auditd, and add 'OR sourcetype=linux:auditd' to the 'auditd_events' eventtype. Finally add linux:auditd to the auditd_sourcetypes lookup. I'm not recommending this suggested workaround because it isn't upgrade proof nor have I tested it, but it may help.

0 Karma

brywilk_umich
Path Finder

Sorry I had a typo, our sourcetype is in fact linux:audit not linux:auditd

is there any other suggestion you might have? Can I just manually populate the auditd_indicies.csv (I know not future proof) and I would need to disable the scheduled update.

thanks!

0 Karma

brywilk_umich
Path Finder

I think I found the issue, it looks like tstats isnt working correctly for us, Im going to be opening a case with splunk....thanks for the help!

0 Karma

doksu
SplunkTrust
SplunkTrust

Cool, would you be able to share the issue? I suspect it may be affecting other Splunk 6.5 users of the app.

0 Karma

brywilk_umich
Path Finder

Still working with support, when I get a answer Ill post here. thanks!

0 Karma

brywilk_umich
Path Finder

So turned out the the account used to run the configuration didnt have access to the index it needed.

doksu
SplunkTrust
SplunkTrust

Ah, I never thought about that - thanks I'll add that to the documentation.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!