Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

auditd.conf

eafitt
Path Finder
‎11-09-2012 10:43 AM

I want to send auditd.conf files to the splunk server so I can monitor when an account is created and deleted on one of my linux servers. Is this possible w/o a forwarder? I've tried to configure the auditd.conf file to point to the splunk server which did not work.

Tags (2)
Reply

jemjensen
Engager
‎07-09-2013 10:37 AM

I apologize for being very late to the game but yes, you can. First, you'll want to set up an auditd server on your Splunk server. Then configure your client machines to use the audispd au-remote plugin to forward their audit logs to the auditd server. Splunk will pull in the local auditd logs by default, which now contain logs for all of your servers. So no Splunk configuration is necessary, except maybe a data transform to change the Host value to the real client host.

There's a very useful whitepaper for setting up the auditd server/client part here:
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/be...

0 Karma
Reply

sebtanzi
New Member
‎02-06-2017 02:35 AM

Hi,

the link to the whitepaper is not working here, do you have a fixed link to the document above ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...