Hi everyone,
to collect auditd logs from /var/log/audit.log, I just add TA-auditd and removed standard unix TA. the default TA-auditd does not have any inputs.conf file.
there are no logs i check with
index=* sourcetype= linux:audit
whereas I can see in _internal index that events are coming.
By default, the Splunk user (splunk) does not have access to /var/log which is owned by root. Therefore it cannot access the log files there (auditd.log) for ingestion.
You'll need to modify the privileges for the Splunk user, or change ownership of that file to splunk:splunk e.g.
Hello,
Is second lookup (ldapsearch) is a must for configuring this apps ?
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
Because i do not have LDAP, so i skip it.
My last step for configuring Linux Auditd.
1. I configure splunk user to go in root group.
2. grant root privileges to splunk user.
3. login as splunk user and try access /var/log/audit/audit.log. If this works, i prefer it is an ok.
But, i do not get linux:audit data in my Splunk.
Is there something that i missing ?
Am i should install CIM too ?
At this moment, I am using Splunk 7.3.5.
It's so wierd that linux-auditd only works when i manually added auditd.log.
I suppose it should works automatically when install linux-auditd.
Do you have solved this problem ?
Is this happen because group permission that used by auditd ?
I change the group permission that used by auditd from root to splunk. But, it doesnot solved this problem.
i also installed Auditd Addons, too