opt/splunkforwarder/etc/system/local/nf host = opt/splunkforwarder/etc/system/default/nf _rcvbuf = 1572864 opt/splunkforwarder/etc/system/default/nf You can use btool to examine the inputs on your UF: bin]$. You actually shouldn't need to create a monitor for the audit log, as Splunk monitors it out of the box! Source -> it need to be different from $SPLUNK_HOME/var/log/splunk/audit.log otherwise data are not ingested Sourcetype -> it need to be audittrail otherwise data are not ingested In this way the Splunk Universal Forwarders audit logs will be indexed in the same index and with the same source and sourcetype of the one coming from Splunk Enterprise servers (Search Heads, Indexers, Master Node, Deployment Server, Heavy Forwarders, License Master etc.). # Specific configuration to enable monitoring Splunk Universal Forwarder audit logs In order to solve it, it is needed to bypass the default configuration that is sending to null queue with a monitor stanza in nf, therefore I created a specific app in the Deployment Server and deployed to all the Splunk Universal Forwarders (*nix and Windows): I tried with the posted solution but unfortunately it was not successful, therefore I worked directly with the Splunk support team to solve this, here below our findings.īasically the audit.log from the Splunk Universal Forwarders is not indexed due to the fact that there is a default configuration that send it to null queue:Įven overwriting it with a local stanza was not working. I'm not really sure what I should check next? I have verified that the app (nf file) is being deployed. 02-14-2017 08:31:07.903 -0600 INFO WatchedFile - Will begin reading at offset=111468 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkdĠ2-13-2017 21:29:25.417 -0600 INFO WatchedFile - Will begin reading at offset=108519 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkdĠ2-13-2017 16:37:32.705 -0600 INFO WatchedFile - Will begin reading at offset=105392 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkdĠ2-13-2017 14:40:29.015 -0600 INFO WatchedFile - Will begin reading at offset=103010 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkdĠ2-13-2017 14:02:01.743 -0600 INFO WatchedFile - Will begin reading at offset=100628 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkdĠ2-13-2017 13:28:58.577 -0600 INFO WatchedFile - Will begin reading at offset=96238 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.host = servername.domain source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd ![]() I see log messages from splunkd.log that seem to indicate that Splunk is attempting to monitor the files, but when I search the _internal index for host=servername.domain and source="/opt/splunkforwarder/var/log/splunk/splunkd.log" i get no results. It is working on the Windows servers, but not on the Linux servers. This app was deployed to both Windows and Linux servers. The app simply contains nf that has the monitor stanza's below.
0 Comments
Leave a Reply. |