Hi,
Installed the Linux AuditD app on Splunk Cloud (indexer). Linux logs are getting parsed as expected with sourcetype=linux:audit.
Configured the app as per document on Github and see most of the dashboards are blank.
SOC dashboard has data in it
Kernel dashboard is blank ( searched for all time)
SYSCALL is blank (searched all time)
TYPE ENFORCEMENT has data
SUDO is blank
Also, when I ran the search --- [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] it only shows one sourcetype (syslog) ideally this should show another sourcetype (linux:audit) and I believe this could be the reason the SYSCALL dashboard is blank.
Haven't done any config related to data model, not sure if this is related.
Please advise.
thanks in advance.
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel
Thanks.
auditd_sourcetypes was looking for syslogs only, changed that to look for linux:audit apps and all the dashboards are populating now.
thanks.
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel