All Apps and Add-ons

Linux Auditd app not showing data under multiple dashboards: SYSCALL, SUDO, etc.

hkumar8
Explorer

Hi,

Installed the Linux AuditD app on Splunk Cloud (indexer). Linux logs are getting parsed as expected with sourcetype=linux:audit.

Configured the app as per document on Github and see most of the dashboards are blank.

SOC dashboard has data in it
Kernel dashboard is blank ( searched for all time)
SYSCALL is blank (searched all time)
TYPE ENFORCEMENT has data
SUDO is blank

Also, when I ran the search --- [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] it only shows one sourcetype (syslog) ideally this should show another sourcetype (linux:audit) and I believe this could be the reason the SYSCALL dashboard is blank.

Haven't done any config related to data model, not sure if this is related.

Please advise.

thanks in advance.

0 Karma
1 Solution

doksu
SplunkTrust
SplunkTrust

It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.

With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E

Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel

View solution in original post

0 Karma

hkumar8
Explorer

Thanks.

auditd_sourcetypes was looking for syslogs only, changed that to look for linux:audit apps and all the dashboards are populating now.

thanks.

0 Karma

doksu
SplunkTrust
SplunkTrust

It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.

With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E

Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...