HI,
trying to install linux auditD on universal forwarder. The app has been installed by support on Splunk Cloud.
The UF in installed on syslog server and forwards data direct to Splunk cloud, no HF or indexer in between. I refereed to
github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration and did not find any info about installing on UF.
After installing the app on SPlunk CLoud the Unix logs are getting tagged (some of non-audit logs as well) as eventype:auditd.
Would like to know what all changes needs to be done on UF?
Is there a change required to inputs.conf file and what should be added there?
any other helpful tip would be great.
here is a sample log:
Aug 21 20:24:34 10.10.0.1 <133>XXX: NetScreen device_id=XXX [Root]system-notification-00257(traffic): start_time="2017-08-21 15:03:59" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=56 src=YYYY dst=ZZZZ session_id=0
action = Deny dst = ZZZZZ eventtype = auditd file os resource unix eventtype = auditd_events eventtype = nix-all-logs host = YYYY sent = 0 service = proto:112/port:0 source = /logs/YYYYY/2017/08/21/user.log sourcetype = syslog src = YYYYY tag = file tag = os tag = resource tag = unix
Thanks in advance.
↧