Getting Data In

How do I ingest the Linux audit logs from this system into Splunk?


Splunk 8.2.5 Enterprise receiver and indexer operating on the same RHEL 7.9 system.  How do I ingest the Linux audit logs from this system into Splunk? Do I need to install a Universal Forwarder like I did on my other/external systems?  I have dashboards created and I'm receiving Linux audit events from my other/external systems but nothing from the Receiver/Indexer system.

Labels (3)
0 Karma


No. As long as you have some "heavy" Splunk component (search-head, indexer, deployment server and so on - anything based on the full installer package) you don't need to install additional Universal Forwarder.

With a properly configured environment you should be pushing logs from all splunk components to the indexers so it should be enough to define monitor inputs to read from /var/log/audit/. One caveat though - audit files are usually relatively strictly protected so it might be tricky to access the audit logs with splunk process running under splunk user.

Another possibility is to configure your syslog daemon to send auditd.log not only to a file on disk but also to splunk.

0 Karma



it's just like @PickleRick said, if you have splunk enterprise component on node there is no need for UF on that host. BUT if you have automatic provisioning on those host (e.g. in AWS or other cloud environment) then it may be that you have already UF installed on all nodes. Then it could be an option to use it as a "standard" solution to collect logs. If you select this option you must ensure that e.g. startup scripts, service names and so on are different for UF and Splunk server components.

I cannot said which option is better use UF or install those inputs as an apps to e.g. indexers? Some people (e.g. I) don't like to idea to install any additional components/apps to indexers, but it's not forbidden.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...