Configure AuditD to send data to the Splunk Add-on for Linux
AuditD is a default linux daemon for audit data generation. The AuditD daemon must be in the running state to generate AuditD logs.
You can collect data by monitoring the audit logs, or by collecting data via TCP.
Configure AuditD to collect data
You must configure AuditD to collect data and send the data to Splunk. The default location for auditd.conf is /etc/audit/auditd.conf.
Configure the property log_format with option RAW or ENRICHED. If set to RAW, the audit records will be stored in a format exactly as the kernel sends it. The ENRICHED option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.
Splunk best practice is to set log_format=ENRICHED to allow proper CIM mapping of auditd event data.
See the AuditD manpage to learn more about auditd.conf.
Collect data from the audit logs
- Click Settings > Data Inputs > Files & directories.
- Define a new data input and set the source type to
linux:audit.
For more information on how to configure data inputs, see Configure your inputs.
If you need to validate your data input configuration, see Validate data collection.
Collect data from a TCP port
- Click Settings > Data Inputs > TCP.
- Define a new data input and set the source type to
linux:audit.
For more information on how to configure data inputs, see Configure your inputs.
If you need to validate your data input configuration, see Validate data collection.
| Configure TCP inputs in CollectD for the Splunk Add-on for Linux | Troubleshoot the Splunk Add-on for Linux |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!