Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.

audit.conf
The following are the spec and example files for audit.conf.
audit.conf.spec
# Version 6.6.2 # # This file contains possible attributes and values you can use to configure # auditing and event signing in audit.conf. # # There is NO DEFAULT audit.conf. To set custom configurations, place an # audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see # audit.conf.example. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of multiple # definitions of the same attribute, the last definition in the file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. ######################################################################################### # KEYS: specify your public and private keys for encryption. #########################################################################################
[auditTrail]
* This stanza turns on cryptographic signing for audit trail events (set in inputs.conf). * You must have a private key to encrypt the signatures and a public key to decrypt them. * WARNING: Enabling signing for audit trail events may increase HTTP response latency if the Splunk instance is handling large numbers of concurrent requests. privateKey= <path> * The path to the file containing the private key. * Generate your own keys using openssl in $SPLUNK_HOME/bin/. * If not present, a default key will be generated one time and placed at $SPLUNK_HOME/etc/auth/audit/private.pem publicKey= <path> * The path to the file containing the public key. * Generate your own keys using openssl in $SPLUNK_HOME/bin/. * If not present, a default key will be generated one time and placed at $SPLUNK_HOME/etc/auth/audit/public.pem queueing=[true|false] * Turn off sending audit events to the indexQueue -- tail the audit events instead. * If this is set to 'false', you MUST add an inputs.conf stanza to tail the audit log in order to have the events reach your index. * Defaults to true.
audit.conf.example
# Version 6.6.2 # # This is an example audit.conf. Use this file to configure auditing. # # There is NO DEFAULT audit.conf. # # To use one or more of these configurations, copy the configuration block into # audit.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [auditTrail] privateKey=/some/path/to/your/private/key/private_key.pem publicKey=/some/path/to/your/public/key/public_key.pem # If this stanza exists, audit trail events will be cryptographically signed. # You must have a private key to encrypt the signatures and a public key to decrypt them. # Generate your own keys using openssl in $SPLUNK_HOME/bin/.
Last modified on 28 June, 2017
PREVIOUS app.conf |
NEXT authentication.conf |
This documentation applies to the following versions of Splunk® Enterprise: 6.6.2
Feedback submitted, thanks!