All Apps and Add-ons

Linux auditD install on universal forwarder

hkumar8
Explorer

HI,
Trying to install Linux auditD on universal forwarder. The app has been installed by support on Splunk Cloud.
The UF is installed on Syslog server and forwards data direct to Splunk Cloud, no HF or indexer in between. I referred to
github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration and did not find any info about installing on UF.

After installing the app on Splunk Coud the Unix logs are getting tagged (some of non-audit logs as well) as eventype:auditd.

Would like to know what all changes needs to be done on UF?
Is there a change required to inputs.conf file and what should be added there?

Any other helpful tip would be great.

here is a sample log:

Aug 21 20:24:34 10.10.0.1 <133>XXX: NetScreen device_id=XXX  [Root]system-notification-00257(traffic): start_time="2017-08-21 15:03:59" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=56 src=YYYY dst=ZZZZ session_id=0
action =    Deny dst =  ZZZZZ eventtype =   auditd  file  os  resource  unix    eventtype = auditd_events   eventtype = nix-all-logs host = YYYY sent = 0 service = proto:112/port:0 source =   /logs/YYYYY/2017/08/21/user.log sourcetype =    syslog src =    YYYYY tag = file    tag =   os  tag =   resource    tag =   unix

Thanks in advance.

0 Karma
1 Solution

doksu
SplunkTrust
SplunkTrust

If using a universal forwarder to collect auditd events, all that is required is to specify the sourcetype 'linux:audit' in the file's inputs.conf monitor stanza. However, in your case I would recommend using a heavy forwarder on the syslog server so you can apply index-time transformations before events are forwarded to Splunk Cloud. The reason I suggest this is that the syslog service is putting events of different sourcetypes into the same file and so index-time transformations are required to sourcetype them correctly on a event-by-event basis. This could be done on the indexers in Splunk Cloud, however you would need to contact support.

The 'auditd' eventtype is not provided by the Linux Auditd app (TA_linux-auditd). It is from the Splunk_TA_nix app and is applied to events with the sourcetype 'auditd', indicating that your events may not be being sourcetyped correctly. Furthermore, the sample event provided doesn't appear to actually be an auditd event at all. The 'auditd' sourcetype will not work with the Linux Auditd app, please see: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype

Irrespective of the Linux Auditd app being used or not, the best practice is to collect events as close to the source as possible in order to retain fidelity and provide other benefits, such as load-balancing, etc. In practice, this means installing universal forwarders on endpoints (where possible), rather than using syslog or some other means of collection. In this way, I would encourage you to reconsider the use of syslog for collecting auditd events.

View solution in original post

0 Karma

hkumar8
Explorer

Thanks doksu.
Don't have approval to install HF on syslog server and have to work with current setup only.
Tried to overwrite the sourcetype from syslog (existing) to linux:audit and also tried to run the transforms against sourcetype but didnt worked.

basically no changes are required on UF..transforms.config or props.config ?

Opened a case with support to see what needs to done on cloud indexer to get this sorted.

0 Karma

doksu
SplunkTrust
SplunkTrust

Index-time prop/transform configurations can't be used by universal forwarders. Therefore, no changes can be made on a universal forwarder to address the issue you're having.

0 Karma

doksu
SplunkTrust
SplunkTrust

If using a universal forwarder to collect auditd events, all that is required is to specify the sourcetype 'linux:audit' in the file's inputs.conf monitor stanza. However, in your case I would recommend using a heavy forwarder on the syslog server so you can apply index-time transformations before events are forwarded to Splunk Cloud. The reason I suggest this is that the syslog service is putting events of different sourcetypes into the same file and so index-time transformations are required to sourcetype them correctly on a event-by-event basis. This could be done on the indexers in Splunk Cloud, however you would need to contact support.

The 'auditd' eventtype is not provided by the Linux Auditd app (TA_linux-auditd). It is from the Splunk_TA_nix app and is applied to events with the sourcetype 'auditd', indicating that your events may not be being sourcetyped correctly. Furthermore, the sample event provided doesn't appear to actually be an auditd event at all. The 'auditd' sourcetype will not work with the Linux Auditd app, please see: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype

Irrespective of the Linux Auditd app being used or not, the best practice is to collect events as close to the source as possible in order to retain fidelity and provide other benefits, such as load-balancing, etc. In practice, this means installing universal forwarders on endpoints (where possible), rather than using syslog or some other means of collection. In this way, I would encourage you to reconsider the use of syslog for collecting auditd events.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!