OK. Of those three locations only the audit.log contains fairly standardized data. But. There are several different types of events there. 1. SELinux alerts 2. PAM events 3. auditd logs Usefulness of SELinux alerts depends on your SELinux policy (and whether SELinux is enabled at all). Auditd must be explicitly configured with audit rules to produce meaningful output. So this single file can be tricky to configure. And the two other files can contain plethora of various event formats from different daemons on your system depending on what you have installed and how your system is configured. I assume it's some debian-based distro because normal RH-based one doesn't even have /var/log/syslog. So it's a bit more complicated than just installing "something" and having it work. Sysmon is... well, that's a completely different story. I'd be very cautious about it since it's a very low-level external tool and requires a decent configuration to produce meaningful output but not overstress the system. ... View more

To avoid the License Master being configured as a search peer: Check peers: splunk list search-server Remove peer: splunk remove search-server https://<license-master>:8089 Restart Splunk Delete /opt/splunk/var/run/searchpeers/* cache ... View more