I'm not receiving any Audit data either. But, I have seen in the Splunk logs where its trying to grab the logs from fw.adtlog. The problem is my audit data logs roll over every day and its not trying to grab the daily audit logs (only the default fw.adtlog). Example, it's trying to grab audit data from the main logs that roll-over every day (2018-11-05_000000.log, 2018-11-06_000000.log, etc.) and NOT from (2018-11-05_000000.adtlog, 2018-11-06_000000.adtlog). So, I think that's the problem - it recognizes and grabs the NON-Audit data from these daily roll-over logs, but NOT the audit data - because it's not looking for YYYY-MM-DD_XXXX.adtlog as a log to grab info from.
... View more