Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Linux Auditd and Linux Auditd Technology Add-On App Installation and Configuration

Symon
Explorer
‎02-23-2024 01:30 AM

Symon_0-1708668015409.png

I downloaded and installed these apps from Splunkbase.

https://splunkbase.splunk.com/app/4232
https://splunkbase.splunk.com/app/2642

As per the instructions, I added the
sourcetype=linux_audit to the local "auditd_events" eventtype in TA
and
linux_audit to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv

but the dashboard data is not showing up.
My existing auditd events belong to the different sourcetype names and eventtype names. 

For example, 
I got the auditd events.
index="linux_fw" sourcetype="syslog" eventtype="mycustom_audit_events"

Therefore, 
Do I need to
add the sourcetype="syslog" to the local "auditd_events" eventtype in TA
and
add the syslog to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv ??

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...