Skip to content

Configure AuditD to send data to the Splunk Add-on for Linux

AuditD is a default linux daemon for audit data generation. The AuditD daemon must be in the running state to generate AuditD logs.

You can collect data by monitoring the audit logs, or by collecting data through TCP.

Configure AuditD to collect data

You must configure AuditD to collect data and send the data to Splunk. The default location for auditd.conf is /etc/audit/auditd.conf.

Configure the property log_format with option RAW or ENRICHED. If set to RAW, the audit records will be stored in a format exactly as the kernel sends it. The ENRICHED option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.

Note

Set log_format=ENRICHED to allow proper CIM mapping of auditd event data.

See the AuditD manpage to learn more about auditd.conf.

Collect data from the audit logs

  1. Click Settings > Data Inputs > Files & directories.
  2. Define a new data input and set the source type to linux:audit.

For more information on how to configure data inputs, see Configure your inputs.

If you need to validate your data input configuration, see Validate data collection.

Collect data from a TCP port

  1. Click Settings > Data Inputs > TCP.
  2. Define a new data input and set the source type to linux:audit.

For more information on how to configure data inputs, see Configure your inputs.

If you need to validate your data input configuration, see Validate data collection.