Deployment Architecture


Path Finder

I want to send auditd.conf files to the splunk server so I can monitor when an account is created and deleted on one of my linux servers. Is this possible w/o a forwarder? I've tried to configure the auditd.conf file to point to the splunk server which did not work.

Tags (2)


I apologize for being very late to the game but yes, you can. First, you'll want to set up an auditd server on your Splunk server. Then configure your client machines to use the audispd au-remote plugin to forward their audit logs to the auditd server. Splunk will pull in the local auditd logs by default, which now contain logs for all of your servers. So no Splunk configuration is necessary, except maybe a data transform to change the Host value to the real client host.

There's a very useful whitepaper for setting up the auditd server/client part here:

0 Karma

New Member


the link to the whitepaper is not working here, do you have a fixed link to the document above ?

0 Karma