Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I ingest the Linux audit logs from this system into Splunk?

lutzmw
Engager
‎05-19-2022 02:00 PM

Splunk 8.2.5 Enterprise receiver and indexer operating on the same RHEL 7.9 system.  How do I ingest the Linux audit logs from this system into Splunk? Do I need to install a Universal Forwarder like I did on my other/external systems?  I have dashboards created and I'm receiving Linux audit events from my other/external systems but nothing from the Receiver/Indexer system.

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-19-2022 02:49 PM

No. As long as you have some "heavy" Splunk component (search-head, indexer, deployment server and so on - anything based on the full installer package) you don't need to install additional Universal Forwarder.

With a properly configured environment you should be pushing logs from all splunk components to the indexers so it should be enough to define monitor inputs to read from /var/log/audit/. One caveat though - audit files are usually relatively strictly protected so it might be tricky to access the audit logs with splunk process running under splunk user.

Another possibility is to configure your syslog daemon to send auditd.log not only to a file on disk but also to splunk.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-19-2022 03:03 PM

Hi

it's just like @PickleRick said, if you have splunk enterprise component on node there is no need for UF on that host. BUT if you have automatic provisioning on those host (e.g. in AWS or other cloud environment) then it may be that you have already UF installed on all nodes. Then it could be an option to use it as a "standard" solution to collect logs. If you select this option you must ensure that e.g. startup scripts, service names and so on are different for UF and Splunk server components.

I cannot said which option is better use UF or install those inputs as an apps to e.g. indexers? Some people (e.g. I) don't like to idea to install any additional components/apps to indexers, but it's not forbidden.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...