All Apps and Add-ons

When getting started with Linux Auditd, is it necessary to have a data model installed?

markh_colorado
Engager

I have the "Splunk Add-on for Unix and Linux", the "Splunk App for Unix and Linux", and "Linux Auditd" applications installed. When I bring up the "Linux Auditd" and look for data, there is a lot of nothing. The command starts with | tstats count WHERE [|inputlookup auditd-indicies] ...

Does tstats require some kind of data model? If so, is the an existing one to use?

Thanks.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @markh_colorado - Did one of the below answers help provide a solution to your question? If so, please don't forget to click "Accept" below the best answer and up-vote any answers/comments that were helpful to you. Thanks!

0 Karma

doksu
SplunkTrust
SplunkTrust

As per kungku71186's comments, please check out the installation and configuration instructions: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration as it sounds like there's a sourcetype issue.

The search you mentioned doesn't use a datamodel, however other searches in the Linux Auditd app use an "Auditd" datamodel provided by the TA_linux-auditd app. As per the documentation, no configuration of the datamodel is required, however acceleration is strongly recommended for performance reasons.

As an aside, the Common Information Model (CIM) app is not required.

0 Karma

kungfu71186
New Member

No, it does no require it, but it's recommend to enable it. There is already an existing one, but it would need to be enabled.

If you are getting nothing then make sure you are getting the correct sourcetype and make sure auditing does have rules enabled.

https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration

I followed those instructions and everything is working great.

---Edit---
Datamodel

At this point, it's strongly recommended to enable acceleration for the provided 'Auditd' datamodel. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (at least '7 Days', but preferably 'All Time'), then click 'Save'. N.B. The Auditd datamodel is quite modest in size - we know from extensive testing that the datamodel acceleration size is only +5% of the raw data.

0 Karma

markh_colorado
Engager

I am getting closer. You mention there is an existing model that needs to be enabled. How do I do enable it?

Thanks.

0 Karma

kungfu71186
New Member

I posted the instructions in my answer. Just go to the datamodel, but make sure you are in the right context. You'll see App: Something... Click that to make sure you are in the right context. You might have to switch a few times to find the right one or show all and find that one. I don't have it with me right now to verify where and what it is.

0 Karma