Why is _audit index not capturing all hosts?

jessieb_83 · ‎04-06-2022

With little to no Splunk experience, I inherited a 7.2.3 windows deployment (We're closed network and I'm not cleared to upgrade yet)

I've been finding little things here and there. One of the bigger ones being I'm ONLY getting _Audit logs from the Splunk servers; I'm not getting any audit input from any work stations, or other production servers. I've been dredging the boards for 3 days now and haven't found anything that seems along this line.

I've checked the %Splunk\var\log\audit.log on several and the host's audit logs are getting input, but they're not getting ingested.

I've gone through the deployment_app input.conf and output.conf files and don't see any glaring indications.

So, I'm asking for ideas on other things to check.

mayurr98 · ‎04-06-2022

Hi you would need to forward audit logs from splunk UF to splunk indexers.

https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-Universal-Forwarder-forward-audit-events...

jessieb_83 · ‎04-06-2022

Thanks for the reply Mayurr!

I thought the same thing. I did find an app being pushed to all the UF's [and verified it's getting to the workstations] to override default with the following entry from %splunkHome\etc\apps\Splunk_UF\default\outputs.conf:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = (_audit | _introspection | _internal | _telemetry)
forwardedindex.fileter.disable = false

It seems like the 0.whitelist entry is unnecessary but I wonder if that is actually conflicting with gathering audit info.

Why is _audit index not capturing all hosts?

indexing performance

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!