All Apps and Add-ons

How to configure the Linux Auditd app to consolidate data from a host?

jcorkey
Explorer

I have one indexer and one forwarder. My Splunk Enterprise (Indexer) has the Linux Auditd app installed and I have my forwarder sending audit logs to an index that is using the linux auditd app on my My Splunk Enterprise. On my forwarder, I configured it to monitor the /var/log/audit/audit.log so my indexer would receive that data. So now I am wondering why TA_linux-auditd is installed with a inputs.conf file that is also configured to monitor /var/log/audit/audit.log? If my inputs.conf on my forwarder is use to specify which file to monitor, then what is the TA_linux-auditd's inputs.conf on my Splunk Enterprise used for. I hope that makes sense. I am very new to Splunk. If there are any resources out there that explain more about what the following .conf files are used for please let me know.

app.conf
collections.conf
datamodels.conf
eventtypes.conf
inputs.conf
macros.conf
props.conf
savedsearches.conf
tags.conf
transforms.conf

0 Karma

woodcock
Esteemed Legend

The one in the app is used to establish default values. You only need to copy the stanza header (the line that begins with [ and ends with ] and the settings that go with it that you need to change (probably none, except for disabled=1 which you need to change to disabled=0).

0 Karma

jcorkey
Explorer

I am still confused as to why the app on my indexer would need default values. inputs.conf on my forwarder is set to monitor /var/log/audit/audit.log so it can forward that data to my indexer. If my indexer also has its own local/inputs.conf with default values, is that so I can monitor the /var/log/audit/audit.log file on my indexer and forward that data to another spunk instance if I had my topology setup that way?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...