Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is _audit index not capturing all hosts?

jessieb_83
Path Finder
‎04-06-2022 08:34 AM

With little to no Splunk experience, I inherited a 7.2.3 windows deployment (We're closed network and I'm not cleared to upgrade yet)

I've been finding little things here and there. One of the bigger ones being I'm ONLY getting _Audit logs from the Splunk servers; I'm not getting any audit input from any work stations, or other production servers. I've been dredging the boards for 3 days now and haven't found anything that seems along this line.

I've checked the %Splunk\var\log\audit.log on several and the host's audit logs are getting input, but they're not getting ingested.

I've gone through the deployment_app input.conf and output.conf files and don't see any glaring indications.

So, I'm asking for ideas on other things to check.

Labels (1)
Labels
0 Karma
Reply

mayurr98
Super Champion
‎04-06-2022 08:50 AM

Hi you would need to forward audit logs from splunk UF to splunk indexers.

https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-Universal-Forwarder-forward-audit-events...

 

 

0 Karma
Reply

jessieb_83
Path Finder
‎04-06-2022 10:40 AM

Thanks for the reply Mayurr!

I thought the same thing. I did find an app  being pushed to all the UF's [and verified it's getting to the workstations] to override default with the following entry from %splunkHome\etc\apps\Splunk_UF\default\outputs.conf:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = (_audit | _introspection | _internal | _telemetry)
forwardedindex.fileter.disable = false

It seems like the 0.whitelist entry is unnecessary but I wonder if that is actually conflicting with gathering audit info.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...