Deployment Architecture

auditd.conf

Path Finder

I want to send auditd.conf files to the splunk server so I can monitor when an account is created and deleted on one of my linux servers. Is this possible w/o a forwarder? I've tried to configure the auditd.conf file to point to the splunk server which did not work.

Tags (2)

Engager

I apologize for being very late to the game but yes, you can. First, you'll want to set up an auditd server on your Splunk server. Then configure your client machines to use the audispd au-remote plugin to forward their audit logs to the auditd server. Splunk will pull in the local auditd logs by default, which now contain logs for all of your servers. So no Splunk configuration is necessary, except maybe a data transform to change the Host value to the real client host.

There's a very useful whitepaper for setting up the auditd server/client part here:
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/be...

0 Karma

New Member

Hi,

the link to the whitepaper is not working here, do you have a fixed link to the document above ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!