Solved: Looking for solutions for Linux/Unix Auditing?

kymenope · ‎03-14-2023

Fairly new Splunk user here looking for Linux auditing solutions. I am running a disconnected version of Splunk Enterprise and thus cannot make use of the content pack which replaced the application and add-on according to SplunkBase.

Am I still able to use the archived applications and add-on?

Realistically I am seeking a solution that would allow me to configure the universal forwarders I'm using to send the appropriate data so I can create queries via the linux_secure sourcetype.

isoutamo · ‎03-14-2023

Hi

I'm not sure if I understood right your question.

There is no need to be a connection between your instance and splunkbase. Just download those apps/TAs etc from it to your workstation and then transfer those with any usable way to your UF's, DS and/or Splunk enterprise instances. Then just install those as instructions said and start to use those.

That's the way how I do installation almost every time. I use that direct connection to splunkbase only on my test/demo etc. instances, never on production systems.

r. Ismo

View solution in original post

isoutamo · ‎03-14-2023

Hi

I'm not sure if I understood right your question.

There is no need to be a connection between your instance and splunkbase. Just download those apps/TAs etc from it to your workstation and then transfer those with any usable way to your UF's, DS and/or Splunk enterprise instances. Then just install those as instructions said and start to use those.

That's the way how I do installation almost every time. I use that direct connection to splunkbase only on my test/demo etc. instances, never on production systems.

r. Ismo

Looking for solutions for Linux/Unix Auditing?

Linux

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio