[syslog:test_internal_logs_syslog] disabled = false server = tpsmscs02:2601 type = tcp priority = NO_PRI maxEventSize = 16384
Problem is, that not only audit log is forwarded, but all incoming logs as well, which is not desired. So I removed "defaultGroup = test_internal_logs_syslog" from outputs.conf - and then neither audit log or anything else is forwarded, simply nothing.
AFAIK my config without defaultGroup = test_internal_logs_syslog should work... Could someone check it and tell me what I am doing wrong? Thanks in advance.
we find out that Splunk handles audit log by some special way and there is no easy and reliable way how to send this log out of Splunk to some external collector. So final solution is: audit log is collected by rsyslog, installed on Splunk instance, and rsyslog then send this log to external collector (LogStash in this case). Hope it helps.