Hello,
For planned test environment with ES I'm trying to see what fit better to my scenario.
I can see that Splunk Add-on for Unix and Linux can read the auditd via some script. I found also the Linux Auditd add-on which looks more dedicated.
The question is: why is better to use (especially with have to do with CIM compliant)?
Note: I'm not care too much for the performance metrics that official add-on offers. The usage with be with ES.
The nix app should not be used. This is not just my oppinion, it’s a widely held view. The nix app has a range of problems and I strongly suggest you use both the Linux Secure app (https://splunkbase.splunk.com/app/3476/), the sudo app (https://splunkbase.splunk.com/app/3038/) and the Linux Audit app mentioned in the question together. The nix app provides no real interpretation of Auditd logs and therefore adds no value, unlike the Linux Auditd app, which provides a wealth of field extractions properly normalised to the CIM (critical for for ES), lookups, dashboards, etc for understanding and deriving value from the ingestion of that source.
The nix app should not be used. This is not just my oppinion, it’s a widely held view. The nix app has a range of problems and I strongly suggest you use both the Linux Secure app (https://splunkbase.splunk.com/app/3476/), the sudo app (https://splunkbase.splunk.com/app/3038/) and the Linux Audit app mentioned in the question together. The nix app provides no real interpretation of Auditd logs and therefore adds no value, unlike the Linux Auditd app, which provides a wealth of field extractions properly normalised to the CIM (critical for for ES), lookups, dashboards, etc for understanding and deriving value from the ingestion of that source.
Thank you for the recommendations. They are looking very good (I check also the iptables as well.
The last question is if the nix_TA still needs to be on the UF to grab the data or one or more other TA need to be deployed on the UF instead of the nix_TA
(I saw that the auditd has a TA inside which can probably installed on the an UF)
Each app has different recommendations so it’s always best to read their documentation. In this case none of those TAs need to be deployed to the UFs but inputs.conf with correct sourcetype specified in the monitor stanza is important.