Universal Forwarder audit logs not going to Splunk...

apiprek2 · ‎12-09-2019

Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows:

1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers

My default\outputs.conf is as follows:
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
indexAndForward = false

My local/outputs.conf is as follows:
[tcpout:default-autolb-group]
server = my ip's here
forwardedindex.filter.disable = true

forwardedindex.2.whitelist = (_audit)

I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue?

esix_splunk · ‎06-21-2020

You do need to update that to "_audit" in your first tier of whitelists..

Universal Forwarder audit logs not going to Splunk Cloud

audit

forwarder

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)