Solved: Linux Auditd: Why is the auditd_indicies.csv not p...

brywilk_umich · ‎02-22-2017

We installed the Linux Auditd app, when we ran the config the auditd_indicies lookup found nothing and auditd_indicies.csv is empty. If we do a general search on our standalone search head and our cluster we see sourcetypes with linux:auditd? Has any one ran into this issue in the past?

We are on version 2.0.3

doksu · ‎03-02-2017

In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.

View solution in original post

doksu · ‎03-02-2017

In short, 'Configure' dashboard must be run as a user with access to auditd events. I've updated the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration) to explicitly mention this requirement. Please see comments in the other answer I provided to see how we determined the cause.

aaraneta_splunk · ‎04-20-2017

@brywilk_umich - Glad that you were able to find the help you needed via doksu, Splunk Support, and yourself. Please click "Accept" for this answer provided by doksu to close out your question and so it can be easily found by other users that have the same issue. Thank you.

doksu · ‎02-23-2017

The sourcetype should be 'linux:audit' not 'linux:auditd'. If you change the sourcetype of the events being ingested then run the 'Configure' dashboard again, the auditd_indicies lookup should populate correctly - however the field extractions won't work for the events already ingested with the wrong sourcetype.

As a workaround, you could add temporary local configs that duplicate all the linux:audit props for linux:auditd, and add 'OR sourcetype=linux:auditd' to the 'auditd_events' eventtype. Finally add linux:auditd to the auditd_sourcetypes lookup. I'm not recommending this suggested workaround because it isn't upgrade proof nor have I tested it, but it may help.

brywilk_umich · ‎02-23-2017

Sorry I had a typo, our sourcetype is in fact linux:audit not linux:auditd

is there any other suggestion you might have? Can I just manually populate the auditd_indicies.csv (I know not future proof) and I would need to disable the scheduled update.

thanks!

brywilk_umich · ‎02-23-2017

I think I found the issue, it looks like tstats isnt working correctly for us, Im going to be opening a case with splunk....thanks for the help!

doksu · ‎02-28-2017

Cool, would you be able to share the issue? I suspect it may be affecting other Splunk 6.5 users of the app.

brywilk_umich · ‎03-01-2017

Still working with support, when I get a answer Ill post here. thanks!

brywilk_umich · ‎03-02-2017

So turned out the the account used to run the configuration didnt have access to the index it needed.

doksu · ‎03-02-2017

Ah, I never thought about that - thanks I'll add that to the documentation.

Linux Auditd: Why is the auditd_indicies.csv not populating?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life