Getting Data In

Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

TheJagoff
Communicator

Hello,

I'm having a situation where I am not seeing the _audit index/audit.log on any of my Universal Forwarders from a single instance Search Head/Indexer. I AM seeing the _internal from all of them though. I have seen activity as of today - very little of it - in the audit.log file under the Program Files\splunkforwarder\var...\audit.log and Everyone has read access to it.

The outputs.conf file in the default directory has not been edited and the entry outputs.conf:forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) is present.

I don't see anything in the local directory that would overwrite this.

Any ideas?

Thanks in advance.

0 Karma
1 Solution

somesoni2
Revered Legend

AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.

View solution in original post

0 Karma

somesoni2
Revered Legend

AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.

0 Karma

SamHTexas
Builder

Sir, can this re-start of the _audit index log be done via GUI?

Tags (1)
0 Karma

TheJagoff
Communicator

Hi, you are correct, very little activity when I look at the actual log on the UF, just the startup, the acknowledgement of listing the forward-server and deployment-server.

So I am going to assume that there just wasn't or isn't enough data to send to the indexer in this case? Is this an exception because it's an internal file to Splunk and not a log file? I am questioning this because of regular log data not getting forwarded if there's very little activity.

Thoughts on this?
Thanks again.

0 Karma

somesoni2
Revered Legend

You would see a warning (or info) in the splunkd log with string like "file too small" if that is the case. In one more case, if the file has not been written for very long time, it gets dropped from the monitoring list and you'd not see any data.

TheJagoff
Communicator

Ok, I'm with you on this. If you want to write that as the answer, I'll accept it. The audit file is being listed under component="WatchedFile" on the _internal index so it is known to Splunk and that's good to know.
Many thanks!

0 Karma

woodcock
Esteemed Legend

What version of Splunk on the forwarder?

0 Karma

TheJagoff
Communicator

I'm now away from the worksite, I'll check in the morning (PDT) and get back - Thanks!

0 Karma

TheJagoff
Communicator

It's a mix of several. 6.3.9 for 2 older Windows servers, 6.5.1 for 2 Linux servers, and 6.5.2 for the remaining 58 Windows servers.
We are ingesting data for winevent logs and linux os from them.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...