Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to forward Solaris audit logs

Roy
New Member
‎07-28-2020 12:05 PM

I have installed the Universal Forwarder on my Solaris Global server, but no data is getting to my Indexer.  Looking at the Splunk log file, I can see that the Forwarder is trying to read the current day's log file (the not_terminated one), but it can't because the audit log is not a text file.  Is there a way around this?

Labels (1)
Labels
0 Karma
Reply

ajohnsen
Splunk Employee
Splunk Employee
‎07-28-2020 12:16 PM

Splunk will read any plaintext file with ease - I do this faairly often on my Solaris systems. Have you checked all permissions are sorted and traffic is allowed between instances?

0 Karma
Reply

Roy
New Member
‎07-28-2020 12:29 PM

Thanks for the quick response.  I'm very new to Splunk.    I am forwarding to an Indexer run by a third party, so determining if anything is working is difficult.  The Forwarder is able to access the Solaris audit log file, so based on the Splunk log file I figured the problem is the fact that the Solaris audit log is not text.  I used the praudit utility to output the current audit log to a text file in the same directory as the audit log file, but nothing showed up on the Indexer (no problems with RHEL or Windows).    Ideas?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-28-2020 12:34 PM

Hi

here is instructions how to convert auditd log (at least partially) to syslog and then collect those via syslog or directly from syslog file as text.

https://docs.oracle.com/cd/E23823_01/html/816-4557/audittask-44.html

When you are already exporting those logs to text files (I propose to export those to another directory and give UF user's to enough access to read those (instead of to real audit directory), you must define a new monitor in inputs.conf to read those files to splunk. 

r. Ismo

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...