Hi,
Installed the Linux AuditD app on Splunk Cloud (indexer). Linux logs are getting parsed as expected with sourcetype=linux:audit.
Configured the app as per document on Github and see most of the dashboards are blank.
SOC dashboard has data in it
Kernel dashboard is blank ( searched for all time)
SYSCALL is blank (searched all time)
TYPE ENFORCEMENT has data
SUDO is blank
Also, when I ran the search --- [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] it only shows one sourcetype (syslog) ideally this should show another sourcetype (linux:audit) and I believe this could be the reason the SYSCALL dashboard is blank.
Haven't done any config related to data model, not sure if this is related.
Please advise.
thanks in advance.
... View more