Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder audit logs not going to Splunk Cloud

apiprek2
Engager
‎12-09-2019 03:13 PM

Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows:

1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers

My default\outputs.conf is as follows:
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
indexAndForward = false

My local/outputs.conf is as follows:
[tcpout:default-autolb-group]
server = my ip's here
forwardedindex.filter.disable = true

forwardedindex.2.whitelist = (_audit)

I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue?

Labels (2)
Labels
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-21-2020 06:54 PM

You do need to update that to  "_audit" in your first tier of whitelists..

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...