-
Notifications
You must be signed in to change notification settings - Fork 11
FAQ
It's best practice to collect events using Splunk's Universal Forwarder on the endpoint, but if that's not possible, an alternative is to collect them via syslog.
-
Make a 'local' directory in the TA app
-
Create a props.conf in the local directory with the following:
[syslog]TRANSFORMS-syslog_auditing = linux_audit
N.B. If you've configured auditd on your hosts to log ENRICHED events, then change 'linux_audit' to 'linux_audit_enriched' above.
- Install the TA app on heavy forwarders/indexers that cook your syslogged auditd events
The Linux Auditd app is designed to work from the smallest to the largest Splunk environments indexing 10s of GBs of Auditd events per day. The only practical way to facilitate the SOC dashboard and ES correlation search at scale is by using a custom datamodel so acceleration can be used.
The principal reason for choosing to use the pivot command instead of tstats for querying the datamodel is to allow for real-time searches. The Linux Auditd app does not ship with real-time searches, however one may wish to change the SOC dashboard's indicators to real-time searches and in that case pivot is required.