I've set up forwarding many times, but for some reason cannot get my auditd log to properly appear in Splunk. I'm banging my head against the wall and am probably just missing something simple.
I created a new app, which forwards the log I want and deployed it to the forwarder on my test server. I created an indexes.conf file for my indexers to handle the new Index. Data is being written to the log, but when I go into Splunk and search for that index, nothing is found. I'm not seeing any errors in splunkd.log on either the forwarder or the indexers. The Index was not showing up in the Search Head's webui under Settings->Indexes. I tried creating it there as well, but still to no avail.
Anyone know what I'm missing?
... View more