With little to no Splunk experience, I inherited a 7.2.3 windows deployment (We're closed network and I'm not cleared to upgrade yet)
I've been finding little things here and there. One of the bigger ones being I'm ONLY getting _Audit logs from the Splunk servers; I'm not getting any audit input from any work stations, or other production servers. I've been dredging the boards for 3 days now and haven't found anything that seems along this line.
I've checked the %Splunk\var\log\audit.log on several and the host's audit logs are getting input, but they're not getting ingested.
I've gone through the deployment_app input.conf and output.conf files and don't see any glaring indications.
So, I'm asking for ideas on other things to check.
Thanks for the reply Mayurr!
I thought the same thing. I did find an app being pushed to all the UF's [and verified it's getting to the workstations] to override default with the following entry from %splunkHome\etc\apps\Splunk_UF\default\outputs.conf:
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = (_audit | _introspection | _internal | _telemetry)
forwardedindex.fileter.disable = false
It seems like the 0.whitelist entry is unnecessary but I wonder if that is actually conflicting with gathering audit info.