I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).
When I run the search sourcetype="linux_audit"
in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?
Thanks for support
hi fab73,
you have to verify two points in the role assigned to USER1:
To verify roles you have to go in [Settings -- Access Controls -- Roles]
Bye.
Giuseppe
hi fab73,
you have to verify two points in the role assigned to USER1:
To verify roles you have to go in [Settings -- Access Controls -- Roles]
Bye.
Giuseppe
Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....
Thanks
thanks two times, this way I could add the "os" specific index in the USER1 role. Bye.
hi fab73,
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:
| metasearch index=* sourcetype=linux_audit | dedup index | table index
Bye.
Giuseppe