Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Linux Auditd app not showing data under multiple d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Installed the Linux AuditD app on Splunk Cloud (indexer). Linux logs are getting parsed as expected with sourcetype=linux:audit.
Configured the app as per document on Github and see most of the dashboards are blank.
SOC dashboard has data in it
Kernel dashboard is blank ( searched for all time)
SYSCALL is blank (searched all time)
TYPE ENFORCEMENT has data
SUDO is blank
Also, when I ran the search --- [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] it only shows one sourcetype (syslog) ideally this should show another sourcetype (linux:audit) and I believe this could be the reason the SYSCALL dashboard is blank.
Haven't done any config related to data model, not sure if this is related.
Please advise.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
auditd_sourcetypes was looking for syslogs only, changed that to look for linux:audit apps and all the dashboards are populating now.
thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Feel the Splunk Love: Real Stories from Real Customers
Data Management Digest – November 2025
