Splunk® Enterprise

Admin Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

audit.conf

The following are the spec and example files for audit.conf.

audit.conf.spec

   Version 7.3.7

 This file contains possible attributes and values you can use to configure
 auditing and event signing in audit.conf.

 There is NO DEFAULT audit.conf. To set custom configurations, place an
 audit.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
 audit.conf.example.  You must restart Splunk to enable configurations.

 To learn more about configuration files (including precedence) please see the
 documentation located at
 http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS


 Use the [default] stanza to define any global settings.
  * You can also define global settings outside of any stanza, at the top of the file.
  * Each conf file should have at most one default stanza. If there are
    multiple default stanzas, attributes are combined. In the case of multiple
    definitions of the same attribute, the last definition in the file wins.
  * If an attribute is defined at both the global level and in a specific
    stanza, the value in the specific stanza takes precedence.


 KEYS: specify your public and private keys for encryption.


queueing=[true|false]
* Turn off sending audit events to the indexQueue -- tail the audit events
  instead.
* If this is set to 'false', you MUST add an inputs.conf stanza to tail the
  audit log in order to have the events reach your index.
  * Defaults to true.

audit.conf.example

#   Version 7.3.7
#
# This is an example audit.conf.  Use this file to configure auditing.
#
# There is NO DEFAULT audit.conf.
#
# To use one or more of these configurations, copy the configuration block into
# audit.conf in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

Last modified on 12 August, 2020
PREVIOUS
app.conf
  NEXT
authentication.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.3.7


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters