Hi @gcusello

I am using Splunk Enterprise.

All of our systems send audit data to a central log server, from there we use Splunk to query data, which helps us setup reports, alerts, etc.

I'm not sure I understand your question on, "which add- did you used to take logs?"

Is this something that is found on the Splunk Enterprise platform.

Hi @StarFox,

you spoke of VPN user activity, which VPN technology are you using?

because I suppose that you want to monitor the accesses using this technology!

how do you take the logs from this technology?

usually to take a Data Source is used an Add-On which one are you using?

I understand that you use Splunk Enterprise, but I need to understand how the technology you are using is sending logs to Splunk.

Do you know how Splunk works to getting data in? if not, read at https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain

Ciao.

Giuseppe

@gcusello

If I understand your question:

We have a .conf file on devices that is configured to forward data in specific file paths, to our central log server.

Hi @StarFox,

your description is still too poor:

have you a Splunk Universal Forwarder installed on the target machine?

which conf file are you using? I suppose inputs.conf.

the conf file is in an App? if yes, which one?

As I said, read the Splunk documentation I hinted to understad how Splunk works.

Anyway, you didn't answered to the main question: which technlogy have you to monitor (VPN)?

Ciao.

Giuseppe

Well, let me rephrase. How would I query a user to see all the data at:

/var/log/syslog or /var/log/messages

/var/log/auth.log or /var/log/secure

/var/log/boot.log

It would depend on what kind of events you have there and how they are parsed.

How are you ingesting those files? And what apps are you using to parse the data from those logs?

@PickleRick 

We use SolarWinds for Windows and Splunk for Linux. Both configured to send audit logs to a central log server.  We also use Zabbix