Splunk® Supported Add-ons

Splunk Add-on for Linux

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure AuditD to send data to the Splunk Add-on for Linux

AuditD is a default linux daemon for audit data generation. The AuditD daemon must be in the running state to generate AuditD logs.

You can collect data by monitoring the audit logs, or by collecting data via TCP.

Configure AuditD to collect data

You must configure AuditD to collect data and send the data to Splunk. The default location for auditd.conf is /etc/audit/auditd.conf.

Configure the property log_format with option RAW or ENRICHED. If set to RAW, the audit records will be stored in a format exactly as the kernel sends it. The ENRICHED option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.

Splunk best practice is to set log_format=ENHANCED to allow proper CIM mapping of auditd event data.

See the AuditD manpage to learn more about auditd.conf.

Collect data from the audit logs

  1. Click Settings > Data Inputs > Files & directories.
  2. Define a new data input and set the source type to linux:audit.

For more information on how to configure data inputs, see Configure your inputs.

If you need to validate your data input configuration, see Validate data collection.

Collect data from a TCP port

  1. Click Settings > Data Inputs > TCP.
  2. Define a new data input and set the source type to linux:audit.

For more information on how to configure data inputs, see Configure your inputs.

If you need to validate your data input configuration, see Validate data collection.

Last modified on 25 July, 2022
PREVIOUS
Configure TCP inputs in CollectD for the Splunk Add-on for Linux
  NEXT
Troubleshoot the Splunk Add-on for Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters