Splunk Enterprise Security

Splunk Add-on for Unix and Linux vs Linux Auditd

a_naoum
Path Finder

Hello,

For planned test environment with ES I'm trying to see what fit better to my scenario.
I can see that Splunk Add-on for Unix and Linux can read the auditd via some script. I found also the Linux Auditd add-on which looks more dedicated.
The question is: why is better to use (especially with have to do with CIM compliant)?

Note: I'm not care too much for the performance metrics that official add-on offers. The usage with be with ES.

1 Solution

doksu
SplunkTrust
SplunkTrust

The nix app should not be used. This is not just my oppinion, it’s a widely held view. The nix app has a range of problems and I strongly suggest you use both the Linux Secure app (https://splunkbase.splunk.com/app/3476/), the sudo app (https://splunkbase.splunk.com/app/3038/) and the Linux Audit app mentioned in the question together. The nix app provides no real interpretation of Auditd logs and therefore adds no value, unlike the Linux Auditd app, which provides a wealth of field extractions properly normalised to the CIM (critical for for ES), lookups, dashboards, etc for understanding and deriving value from the ingestion of that source.

View solution in original post

doksu
SplunkTrust
SplunkTrust

The nix app should not be used. This is not just my oppinion, it’s a widely held view. The nix app has a range of problems and I strongly suggest you use both the Linux Secure app (https://splunkbase.splunk.com/app/3476/), the sudo app (https://splunkbase.splunk.com/app/3038/) and the Linux Audit app mentioned in the question together. The nix app provides no real interpretation of Auditd logs and therefore adds no value, unlike the Linux Auditd app, which provides a wealth of field extractions properly normalised to the CIM (critical for for ES), lookups, dashboards, etc for understanding and deriving value from the ingestion of that source.

a_naoum
Path Finder

Thank you for the recommendations. They are looking very good (I check also the iptables as well.

The last question is if the nix_TA still needs to be on the UF to grab the data or one or more other TA need to be deployed on the UF instead of the nix_TA

(I saw that the auditd has a TA inside which can probably installed on the an UF)

0 Karma

doksu
SplunkTrust
SplunkTrust

Each app has different recommendations so it’s always best to read their documentation. In this case none of those TAs need to be deployed to the UFs but inputs.conf with correct sourcetype specified in the monitor stanza is important.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...