Archive
Highlighted

Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Communicator

Hello,

I'm having a situation where I am not seeing the _audit index/audit.log on any of my Universal Forwarders from a single instance Search Head/Indexer. I AM seeing the _internal from all of them though. I have seen activity as of today - very little of it - in the audit.log file under the Program Files\splunkforwarder\var...\audit.log and Everyone has read access to it.

The outputs.conf file in the default directory has not been edited and the entry outputs.conf:forwardedindex.2.whitelist = (audit|internal|introspection|telemetry) is present.

I don't see anything in the local directory that would overwrite this.

Any ideas?

Thanks in advance.

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Esteemed Legend

What version of Splunk on the forwarder?

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Communicator

I'm now away from the worksite, I'll check in the morning (PDT) and get back - Thanks!

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Communicator

It's a mix of several. 6.3.9 for 2 older Windows servers, 6.5.1 for 2 Linux servers, and 6.5.2 for the remaining 58 Windows servers.
We are ingesting data for winevent logs and linux os from them.

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

SplunkTrust
SplunkTrust

AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.

View solution in original post

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Communicator

Hi, you are correct, very little activity when I look at the actual log on the UF, just the startup, the acknowledgement of listing the forward-server and deployment-server.

So I am going to assume that there just wasn't or isn't enough data to send to the indexer in this case? Is this an exception because it's an internal file to Splunk and not a log file? I am questioning this because of regular log data not getting forwarded if there's very little activity.

Thoughts on this?
Thanks again.

0 Karma
Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

SplunkTrust
SplunkTrust

You would see a warning (or info) in the splunkd log with string like "file too small" if that is the case. In one more case, if the file has not been written for very long time, it gets dropped from the monitoring list and you'd not see any data.

Highlighted

Re: Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Communicator

Ok, I'm with you on this. If you want to write that as the answer, I'll accept it. The audit file is being listed under component="WatchedFile" on the _internal index so it is known to Splunk and that's good to know.
Many thanks!

0 Karma