Splunk 8.2.5 Enterprise receiver and indexer operating on the same RHEL 7.9 system. How do I ingest the Linux audit logs from this system into Splunk? Do I need to install a Universal Forwarder like I did on my other/external systems? I have dashboards created and I'm receiving Linux audit events from my other/external systems but nothing from the Receiver/Indexer system.
No. As long as you have some "heavy" Splunk component (search-head, indexer, deployment server and so on - anything based on the full installer package) you don't need to install additional Universal Forwarder.
With a properly configured environment you should be pushing logs from all splunk components to the indexers so it should be enough to define monitor inputs to read from /var/log/audit/. One caveat though - audit files are usually relatively strictly protected so it might be tricky to access the audit logs with splunk process running under splunk user.
Another possibility is to configure your syslog daemon to send auditd.log not only to a file on disk but also to splunk.
Hi
it's just like @PickleRick said, if you have splunk enterprise component on node there is no need for UF on that host. BUT if you have automatic provisioning on those host (e.g. in AWS or other cloud environment) then it may be that you have already UF installed on all nodes. Then it could be an option to use it as a "standard" solution to collect logs. If you select this option you must ensure that e.g. startup scripts, service names and so on are different for UF and Splunk server components.
I cannot said which option is better use UF or install those inputs as an apps to e.g. indexers? Some people (e.g. I) don't like to idea to install any additional components/apps to indexers, but it's not forbidden.
r. Ismo