I want to send auditd.conf files to the splunk server so I can monitor when an account is created and deleted on one of my linux servers. Is this possible w/o a forwarder? I've tried to configure the auditd.conf file to point to the splunk server which did not work.
I apologize for being very late to the game but yes, you can. First, you'll want to set up an auditd server on your Splunk server. Then configure your client machines to use the audispd au-remote plugin to forward their audit logs to the auditd server. Splunk will pull in the local auditd logs by default, which now contain logs for all of your servers. So no Splunk configuration is necessary, except maybe a data transform to change the Host value to the real client host.