Linux Auditd: How to override the default configur...

jcorkey · ‎07-20-2017

When the Linux Auditd app is installed on a Splunk Enterprise (indexer), is the props.conf in the TA_linux-auditd/default/props.conf overriding anything by default? I am confused on how overriding works.

Splunk documentations says the following:

Note: If you forward data, and you want to assign a source type for a source, you must assign the source type in props.conf on the forwarder. If you do it in props.conf on the receiver, the override has no effect.

So if I have the Linux Auditd app installed on an indexer and I have a universal forwarder sending audit log data to my indexer, will any configuration I add in TA_linux-auditd/local be applied to data received from forwarders or data that my indexer itself is forwarding??

The NOTE above makes it sound like I need to install Linux Auditd app on my forwarder not just my indexer.

woodcock · ‎07-20-2017

The documentation is wrong. You should assign the sourcetype in inputs.conf on the forwarder (NOT in props.conf). Then don't bother overriding it at all.

dilipbailwal · ‎07-20-2017

First of all overriding works as per the files presedence order. In your case it will be index file precedence order.
1. Slave-app local directories (cluster peers only) -- highest priority
2. System local directory
3. App local directories
4. Slave-app default directories (cluster peers only)
5. App default directories
6. System default directory -- lowest priority

Hope this answers, if not then please rephrase ur question

Linux Auditd: How to override the default configurations for props.conf?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases