So just checked on a Splunk universal forwarder 6.4.0 on Linux and there is an audit.log in /opt/splunkforwarder/var/log/splunk/ and it contains useful information. For example:
04-27-2016 08:30:40.226 +1200 INFO AuditLogger - Audit:[timestamp=04-27-2016 08:30:40.226, user=n/a, action=update,path="/opt/splunkforwarder/etc/apps/splunk_TA_nix_local_log/bin", isdir=1, size=4096, gid=1001, uid=1001, modtime="Wed Apr 27 08:28:17 2016", mode="rwxrwxr-x", hash=, chgs="modtime "][n/a]
04-27-2016 08:30:40.330 +1200 INFO AuditLogger - Audit:[timestamp=04-27-2016 08:30:40.330, user=n/a, action=update,path="/opt/splunkforwarder/etc/apps/splunk_TA_nix_local_log/bin/tests.sh", isdir=0, size=336, gid=1001, uid=1001, modtime="Wed Apr 27 08:28:17 2016", mode="rwxrwxr-x", hash=, chgs="modtime "][n/a]
04-27-2016 10:31:45.225 +1200 INFO AuditLogger - Audit:[timestamp=04-27-2016 10:31:45.225, user=n/a, action=splunkShuttingDown, info=n/a][n/a]
04-27-2016 10:31:49.783 +1200 INFO AuditLogger - Audit:[timestamp=04-27-2016 10:31:49.783, user=n/a, action=splunkStarting, info=n/a][n/a]
But audit.log is not added as monitor:
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf [monitor:///Library/Logs]
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf [monitor:///etc]
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf [monitor:///home/.../.bash_history]
/opt/splunkforwarder/etc/system/default/inputs.conf [monitor:///opt/splunkforwarder/etc/splunk.version]
/opt/splunkforwarder/etc/system/default/inputs.conf [monitor:///opt/splunkforwarder/var/log/splunk]
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf [monitor:///opt/splunkforwarder/var/log/splunk/metrics.log]
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf [monitor:///opt/splunkforwarder/var/log/splunk/splunkd.log]
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf [monitor:///root/.bash_history]
So maybe this was changed somewhen down the road or it's a feature 😉
... View more