Monitoring Splunk

Universal Forwarder audit logs not going to Splunk Cloud


Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows:

1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers

My default\outputs.conf is as follows:
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
forwardedindex.filter.disable = false
indexAndForward = false

My local/outputs.conf is as follows:
server = my ip's here
forwardedindex.filter.disable = true

forwardedindex.2.whitelist = (_audit)

I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue?

Labels (2)
0 Karma

Splunk Employee
Splunk Employee

You do need to update that to  "_audit" in your first tier of whitelists..



0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...