Getting Data In

How do I ingest the Linux audit logs from this system into Splunk?


Splunk 8.2.5 Enterprise receiver and indexer operating on the same RHEL 7.9 system.  How do I ingest the Linux audit logs from this system into Splunk? Do I need to install a Universal Forwarder like I did on my other/external systems?  I have dashboards created and I'm receiving Linux audit events from my other/external systems but nothing from the Receiver/Indexer system.

Labels (3)
0 Karma

Ultra Champion

No. As long as you have some "heavy" Splunk component (search-head, indexer, deployment server and so on - anything based on the full installer package) you don't need to install additional Universal Forwarder.

With a properly configured environment you should be pushing logs from all splunk components to the indexers so it should be enough to define monitor inputs to read from /var/log/audit/. One caveat though - audit files are usually relatively strictly protected so it might be tricky to access the audit logs with splunk process running under splunk user.

Another possibility is to configure your syslog daemon to send auditd.log not only to a file on disk but also to splunk.

0 Karma



it's just like @PickleRick said, if you have splunk enterprise component on node there is no need for UF on that host. BUT if you have automatic provisioning on those host (e.g. in AWS or other cloud environment) then it may be that you have already UF installed on all nodes. Then it could be an option to use it as a "standard" solution to collect logs. If you select this option you must ensure that e.g. startup scripts, service names and so on are different for UF and Splunk server components.

I cannot said which option is better use UF or install those inputs as an apps to e.g. indexers? Some people (e.g. I) don't like to idea to install any additional components/apps to indexers, but it's not forbidden.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...