- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Linux Auditd app not showing data under multip...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Installed the Linux AuditD app on Splunk Cloud (indexer). Linux logs are getting parsed as expected with sourcetype=linux:audit.
Configured the app as per document on Github and see most of the dashboards are blank.
SOC dashboard has data in it
Kernel dashboard is blank ( searched for all time)
SYSCALL is blank (searched all time)
TYPE ENFORCEMENT has data
SUDO is blank
Also, when I ran the search --- [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] it only shows one sourcetype (syslog) ideally this should show another sourcetype (linux:audit) and I believe this could be the reason the SYSCALL dashboard is blank.
Haven't done any config related to data model, not sure if this is related.
Please advise.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
auditd_sourcetypes was looking for syslogs only, changed that to look for linux:audit apps and all the dashboards are populating now.
thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like the auditd_sourcetypes lookup may have been modified to include 'syslog', which will not work. 'linux:audit' is the sourcetype that should be used, as per the app documentation's requirement list (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#requirements). A workaround is provided for 'linux_audit' in the documentation (https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#sourcetype), however use of 'syslog' sourcetype is not supported.
With respect to some dashboards showing information and others not, please see: https://github.com/doksu/splunk_auditd/wiki/About-Auditd to configure auditd to log those additional event types. This is discussed in the user guide video: https://www.youtube.com/watch?v=M7QZRAHSs5E
Regarding the datamodel, please see the documentation here: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#datamodel
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
