Getting Data In

Can audit.log be forwarded to another index?

nmouli
Explorer

Hello There

I'm trying to index a few Splunk internal logs like splunkd, metrics, web*, audit, etc under /var/log/splunk to another index, however, all the logs are populating in the other index except audit.log

please suggest..

Many Thanks!

0 Karma
1 Solution

nmouli
Explorer

I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
Thanks.

View solution in original post

0 Karma

nmouli
Explorer

I have changed the audit log location in log.cfg (log-local.cfg) to other directory and then able to index it.
Thanks.

0 Karma

inventsekar
Super Champion

Not sure, but, Just a thought, the audit, splunkd logs may be already indexed thru splunk's own internal indexes, isn't ?!?!

>>> Happy Splunking !
0 Karma

nmouli
Explorer

Yes, however I'd like to send many UF internal logs to other existing index rather than Splunk own internal index to develop a customized app.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...