Solved: Not seeing the _audit index/log from my windows U/...

TheJagoff · ‎04-03-2017

Hello,

I'm having a situation where I am not seeing the _audit index/audit.log on any of my Universal Forwarders from a single instance Search Head/Indexer. I AM seeing the _internal from all of them though. I have seen activity as of today - very little of it - in the audit.log file under the Program Files\splunkforwarder\var...\audit.log and Everyone has read access to it.

The outputs.conf file in the default directory has not been edited and the entry outputs.conf:forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) is present.

I don't see anything in the local directory that would overwrite this.

Any ideas?

Thanks in advance.

somesoni2 · ‎04-04-2017

AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.

View solution in original post

somesoni2 · ‎04-04-2017

AFAIK, there is nothing much of audit logs generated at universal forwarder, mostly just the shutdown/start logs. I would suggest to log on to to server and confirm there was any $SPLUNK_HOME/var/log/splunk/audit.log entries being written.

SamHTexas · ‎04-27-2021

Sir, can this re-start of the _audit index log be done via GUI?

TheJagoff · ‎04-04-2017

Hi, you are correct, very little activity when I look at the actual log on the UF, just the startup, the acknowledgement of listing the forward-server and deployment-server.

So I am going to assume that there just wasn't or isn't enough data to send to the indexer in this case? Is this an exception because it's an internal file to Splunk and not a log file? I am questioning this because of regular log data not getting forwarded if there's very little activity.

Thoughts on this?
Thanks again.

somesoni2 · ‎04-04-2017

You would see a warning (or info) in the splunkd log with string like "file too small" if that is the case. In one more case, if the file has not been written for very long time, it gets dropped from the monitoring list and you'd not see any data.

TheJagoff · ‎04-04-2017

Ok, I'm with you on this. If you want to write that as the answer, I'll accept it. The audit file is being listed under component="WatchedFile" on the _internal index so it is known to Splunk and that's good to know.
Many thanks!

woodcock · ‎04-03-2017

What version of Splunk on the forwarder?

TheJagoff · ‎04-03-2017

I'm now away from the worksite, I'll check in the morning (PDT) and get back - Thanks!

TheJagoff · ‎04-04-2017

It's a mix of several. 6.3.9 for 2 older Windows servers, 6.5.1 for 2 Linux servers, and 6.5.2 for the remaining 58 Windows servers.
We are ingesting data for winevent logs and linux os from them.

Not seeing the _audit index/log from my windows U/Fs but I am seeing _internal

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation