Getting Data In

How do I ingest the Linux audit logs from this system into Splunk?

lutzmw
Engager

Splunk 8.2.5 Enterprise receiver and indexer operating on the same RHEL 7.9 system.  How do I ingest the Linux audit logs from this system into Splunk? Do I need to install a Universal Forwarder like I did on my other/external systems?  I have dashboards created and I'm receiving Linux audit events from my other/external systems but nothing from the Receiver/Indexer system.

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. As long as you have some "heavy" Splunk component (search-head, indexer, deployment server and so on - anything based on the full installer package) you don't need to install additional Universal Forwarder.

With a properly configured environment you should be pushing logs from all splunk components to the indexers so it should be enough to define monitor inputs to read from /var/log/audit/. One caveat though - audit files are usually relatively strictly protected so it might be tricky to access the audit logs with splunk process running under splunk user.

Another possibility is to configure your syslog daemon to send auditd.log not only to a file on disk but also to splunk.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

it's just like @PickleRick said, if you have splunk enterprise component on node there is no need for UF on that host. BUT if you have automatic provisioning on those host (e.g. in AWS or other cloud environment) then it may be that you have already UF installed on all nodes. Then it could be an option to use it as a "standard" solution to collect logs. If you select this option you must ensure that e.g. startup scripts, service names and so on are different for UF and Splunk server components.

I cannot said which option is better use UF or install those inputs as an apps to e.g. indexers? Some people (e.g. I) don't like to idea to install any additional components/apps to indexers, but it's not forbidden.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...