I downloaded and installed these apps from Splunkbase.
https://splunkbase.splunk.com/app/4232
https://splunkbase.splunk.com/app/2642
As per the instructions, I added the
sourcetype=linux_audit to the local "auditd_events" eventtype in TA
and
linux_audit to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv
but the dashboard data is not showing up.
My existing auditd events belong to the different sourcetype names and eventtype names.
For example,
I got the auditd events.
index="linux_fw" sourcetype="syslog" eventtype="mycustom_audit_events"
Therefore,
Do I need to
add the sourcetype="syslog" to the local "auditd_events" eventtype in TA
and
add the syslog to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv ??