Also there was no definition for passAuth for this script in inputs.conf in /opt/splunk/etc/system/local/inputs.conf so i added the script below:
[script:$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
passAuth = admin
After this change was made the logs started to flow in. Presume something was missing in terms of permissions when the loggrabber was installed or it's a problem with the package - unless noone else has seen this?
Add your comment...
... View more