Splunk Enterprise

Linux Auditd and Linux Auditd Technology Add-On App Installation and Configuration

Symon
Explorer

Symon_0-1708668015409.png

I downloaded and installed these apps from Splunkbase.

https://splunkbase.splunk.com/app/4232
https://splunkbase.splunk.com/app/2642

As per the instructions, I added the
sourcetype=linux_audit to the local "auditd_events" eventtype in TA
and
linux_audit to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv

but the dashboard data is not showing up.
My existing auditd events belong to the different sourcetype names and eventtype names. 

For example, 
I got the auditd events.
index="linux_fw" sourcetype="syslog" eventtype="mycustom_audit_events"

Therefore, 
Do I need to
add the sourcetype="syslog" to the local "auditd_events" eventtype in TA
and
add the syslog to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv ??

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...