Universal Forwarder audit logs not going to Splunk...

apiprek2 · ‎12-09-2019

Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows:

1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers

My default\outputs.conf is as follows:
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
indexAndForward = false

My local/outputs.conf is as follows:
[tcpout:default-autolb-group]
server = my ip's here
forwardedindex.filter.disable = true

forwardedindex.2.whitelist = (_audit)

I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue?

esix_splunk · ‎06-21-2020

You do need to update that to "_audit" in your first tier of whitelists..

Universal Forwarder audit logs not going to Splunk Cloud

audit

forwarder

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector