I have the "Splunk Add-on for Unix and Linux", the "Splunk App for Unix and Linux", and "Linux Auditd" applications installed. When I bring up the "Linux Auditd" and look for data, there is a lot of nothing. The command starts with | tstats count WHERE [|inputlookup auditd-indicies] ...
Does tstats
require some kind of data model? If so, is the an existing one to use?
Thanks.
Hi @markh_colorado - Did one of the below answers help provide a solution to your question? If so, please don't forget to click "Accept" below the best answer and up-vote any answers/comments that were helpful to you. Thanks!
As per kungku71186's comments, please check out the installation and configuration instructions: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration as it sounds like there's a sourcetype issue.
The search you mentioned doesn't use a datamodel, however other searches in the Linux Auditd app use an "Auditd" datamodel provided by the TA_linux-auditd app. As per the documentation, no configuration of the datamodel is required, however acceleration is strongly recommended for performance reasons.
As an aside, the Common Information Model (CIM) app is not required.
No, it does no require it, but it's recommend to enable it. There is already an existing one, but it would need to be enabled.
If you are getting nothing then make sure you are getting the correct sourcetype and make sure auditing does have rules enabled.
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
I followed those instructions and everything is working great.
---Edit---
Datamodel
At this point, it's strongly recommended to enable acceleration for the provided 'Auditd' datamodel. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (at least '7 Days', but preferably 'All Time'), then click 'Save'. N.B. The Auditd datamodel is quite modest in size - we know from extensive testing that the datamodel acceleration size is only +5% of the raw data.
I am getting closer. You mention there is an existing model that needs to be enabled. How do I do enable it?
Thanks.
I posted the instructions in my answer. Just go to the datamodel, but make sure you are in the right context. You'll see App: Something... Click that to make sure you are in the right context. You might have to switch a few times to find the right one or show all and find that one. I don't have it with me right now to verify where and what it is.