Skip to content

Installation and Configuration

Jump to bottom
doksu edited this page Mar 28, 2016 · 29 revisions

Requirements

  • Platform independent
  • Splunk Enterprise 6.3+ / Splunk Cloud
  • linux:audit sourcetyped events (see Sourcetype section below)

Upgrade

To upgrade from Version 1.x to Version 2 of the Linux Auditd app, please remove the old version and its TA_linux-auditd app completely from all Splunk servers, then perform a normal installation as per below.

Installation

There are no special installation requirements. This app should be installed in your environment in the same way you would any other app. For example, on a normal stand-alone search head:

  1. Install the linux-auditd app from Splunkbase (https://splunkbase.splunk.com/app/2642/)
  2. Copy the TA_linux-auditd app from the '$SPLUNK_HOME/etc/apps/linux-auditd/appserver/addons/' folder to '$SPLUNK_HOME/etc/apps/'
  3. Restart Splunk

N.B. If deploying to a SHC, follow the normal procedure using the deployer to distribute the app and TA.

If not already ingesting audit logs, you can use the provided inputs.conf configuration in TA_linux-auditd:

  1. Create the folder '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local'
  2. Copy '$SPLUNK_HOME/etc/apps/TA_linux-auditd/default/inputs.conf' to '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local/inputs.conf'
  3. Edit '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local/inputs.conf', uncommenting the stanza and changing 'disabled = true' to 'disabled = false', then specifying the index you'd like auditd events to be indexed into
  4. Restart Splunk

It's recommended (but not essential) to install the TA_linux-auditd app on all heavy forwarders and indexers to ensure events are correctly indexed.

If you have Enterprise Security, you may wish to also wish to install the 'SA-LinuxAuditd' app from '$SPLUNK_HOME/etc/apps/linux-auditd/appserver/addons/' on your ES search head/s. For assistance configuring the correlation search provided, please contact Splunk Professional Services.

Sourcetype

It's essential that your Auditd events are sourcetyped correctly. If you install the TA_linux-auditd app on indexers and heavy forwarders, it will ensure that newly ingested events are correctly sourcetyped. If however you have existing events indexed with the vendor's old underscore sourcetype convention (i.e. 'linux_audit') and you wish to use them with this app, then several minor (unsupported) changes must be made:

  1. Change 'linux:audit' stanza name in 'TA_linux-auditd/default/props.conf' to '[(::){0}linux*audit]' on search heads
  2. Append 'OR sourcetype=linux_audit' to the search in a local 'auditd_events' eventtype in the TA_linux-auditd app on search heads
  3. Add 'linux_audit' to list of sourcetypes in TA_linux_auditd/lookups/auditd_sourcetypes.csv
  4. Restart Splunk

Configuration

After completing the installation steps above, please run the 'Configure' dashboard and wait for all the searches to complete (N.B. This may take some time depending on the number of searchable auditd events in your environment and the time period selected).

The TA_linux-auditd app resolves uid values to posix usernames. For this to occur, two lookups require populating on the search heads. The first contains local users (typically created by package management) and can be extracted from /etc/passwd using the following command:

awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA_linux-auditd/lookups/local_posix_identities.csv

The second lookup contains directory users and can be populated by scheduling the following search to run periodically with the SA-ldapsearch app (https://splunkbase.splunk.com/app/1151/):

| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities

Within 5 minutes of populating the lookups above, they will automatically be merged into the 'posix_identities' lookup. To check its status, open the 'Help' dashboard and wait until the 'Merged Posix Users' value is greater than zero.

At this point, it's strongly recommended to enable datamodel acceleration. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (at least '7 Days', but preferably 'All Time'), then click 'Save'. N.B. The Auditd datamodel is quite modest in size - we know from extensive testing that the datamodel acceleration size is only +5% of the raw data.

Clone this wiki locally