Splunk Enterprise Security
Highlighted

Linux Auditd: How to get this app working with Splunk Enterprise Security?

Explorer

I have been trying to configure the Linux Auditd app to get it 100% functioning. Some of the panes are working and some are not. The app is not integrated with Splunk Enterprise Security (ES) and running on Splunk 6.5.1. Is this platform supported ? What would be the solution to fixing the errors below:

  • Error in 'PivotProcessor': Error in 'DataModelEvaluator': Data model 'Auditd' was not found.
  • Error in 'lookup' command: The lookup table 'posix_identities' does not exist or is not available.
  • The lookup table 'auditdhostinventory' does not exist. It is referenced by configuration 'linux:audit'.

Please guide.

0 Karma
Highlighted

Re: Linux Auditd: How to get this app working with Splunk Enterprise Security?

SplunkTrust
SplunkTrust

Have you completed the installation instructions for search environments with ES? https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#enterprise-security

Highlighted

Re: Linux Auditd: How to get this app working with Splunk Enterprise Security?

Explorer

Yea I have followed those instructions. I
Am testing this without ES.

0 Karma