I'm having a situation where I am not seeing the _audit index/audit.log on any of my Universal Forwarders from a single instance Search Head/Indexer. I AM seeing the _internal from all of them though. I have seen activity as of today - very little of it - in the audit.log file under the Program Files\splunkforwarder\var...\audit.log and Everyone has read access to it.
The outputs.conf file in the default directory has not been edited and the entry outputs.conf:forwardedindex.2.whitelist = (audit|internal|introspection|telemetry) is present.
I don't see anything in the local directory that would overwrite this.
Thanks in advance.
I'm now away from the worksite, I'll check in the morning (PDT) and get back - Thanks!
It's a mix of several. 6.3.9 for 2 older Windows servers, 6.5.1 for 2 Linux servers, and 6.5.2 for the remaining 58 Windows servers.
We are ingesting data for winevent logs and linux os from them.
AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.
Hi, you are correct, very little activity when I look at the actual log on the UF, just the startup, the acknowledgement of listing the forward-server and deployment-server.
So I am going to assume that there just wasn't or isn't enough data to send to the indexer in this case? Is this an exception because it's an internal file to Splunk and not a log file? I am questioning this because of regular log data not getting forwarded if there's very little activity.
Thoughts on this?
You would see a warning (or info) in the splunkd log with string like "file too small" if that is the case. In one more case, if the file has not been written for very long time, it gets dropped from the monitoring list and you'd not see any data.
Ok, I'm with you on this. If you want to write that as the answer, I'll accept it. The audit file is being listed under component="WatchedFile" on the _internal index so it is known to Splunk and that's good to know.