Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does Splunk Universal Forwarder forward audit events

ankithreddy777
Contributor
‎01-11-2019 07:28 AM

Does Splunk Universal Forwarder forward audit event logs to Splunk _audit index?
I can see Splunk HF's are forwarding audit events, but couldn't find which app has inputs.conf which enable reading audit logs and forward to _audit index.

May I know which app consists inputs to read and send data to _audit index in Splunk?

0 Karma
Reply

lakshman239
Influencer
‎01-11-2019 07:38 AM

You would see default/outputs.conf on the SplunkForwarder app with

[tcpout]
forwardedindex.x.whitelist= (_audit | _introspection | _telemetry)

This would forward all the _* logs to index layer.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2019 07:37 AM

Hi ankithreddy777
they are in system/default and/or system/local.
Bye.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 06:01 AM

Hi ankithreddy777
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...