With little to no Splunk experience, I inherited a 7.2.3 windows deployment (We're closed network and I'm not cleared to upgrade yet)
I've been finding little things here and there. One of the bigger ones being I'm ONLY getting _Audit logs from the Splunk servers; I'm not getting any audit input from any work stations, or other production servers. I've been dredging the boards for 3 days now and haven't found anything that seems along this line.
I've checked the %Splunk\var\log\audit.log on several and the host's audit logs are getting input, but they're not getting ingested.
I've gone through the deployment_app input.conf and output.conf files and don't see any glaring indications.
So, I'm asking for ideas on other things to check.
Hi you would need to forward audit logs from splunk UF to splunk indexers.
Thanks for the reply Mayurr!
I thought the same thing. I did find an app being pushed to all the UF's [and verified it's getting to the workstations] to override default with the following entry from %splunkHome\etc\apps\Splunk_UF\default\outputs.conf:
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = (_audit | _introspection | _internal | _telemetry)
forwardedindex.fileter.disable = false
It seems like the 0.whitelist entry is unnecessary but I wonder if that is actually conflicting with gathering audit info.