-
Notifications
You must be signed in to change notification settings - Fork 11
Installation and Configuration
- Platform independent
- Splunk Enterprise 6.5+ / Splunk Cloud
- linux:audit and linux:audit:enriched sourcetype events (see Sourcetype section below)
To upgrade from Version 1.x or 2.x to Version 3 of the Linux Auditd app, please take a backup then remove the old version and its TA_linux-auditd app completely from all Splunk servers, then perform a normal installation as per below.
There are no special installation requirements. The TA and associated app should be installed in your environment in the same way you would any other apps. For example, on a normal stand-alone search head:
- Install the Linux Auditd Technology Add-On from Splunkbase (https://splunkbase.splunk.com/app/4232/)
- Install the Linux Auditd app from Splunkbase (https://splunkbase.splunk.com/app/2642/)
- Restart Splunk
N.B. If deploying to a SHC, follow the normal procedure using the deployer to distribute the app and TA.
It's recommended (but not essential) to install the TA-linux_auditd app on all heavy forwarders and indexers to ensure events are correctly indexed.
It's essential that your Auditd events are sourcetyped correctly. If you install the TA-linux_auditd app on indexers and heavy forwarders, it will ensure that newly ingested events are correctly sourcetyped. If however you have existing events indexed with the vendor's old underscore sourcetype convention (i.e. 'linux_audit') and you wish to use them with this app, then several minor (unsupported) changes must be made:
- Change 'linux:audit' stanza name in 'TA-linux_auditd/default/props.conf' to '[(::){0}linux*audit]' on search heads
- Append 'OR sourcetype=linux_audit' to the search in a local 'auditd_events' eventtype in the TA-linux_auditd app on search heads
- Add 'linux_audit' to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv
- Restart Splunk
After completing the installation steps above, please run the 'Configure' dashboard as a user with access to the auditd events and wait for all the searches to complete (N.B. This may take some time depending on the number of searchable auditd events in your environment and the time period selected).
The TA-linux_auditd app resolves uid values to posix usernames. For this to occur, two lookups require populating on the search heads. The first contains local users (typically created by package management) and can be extracted from /etc/passwd using the following command:
awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA-linux_auditd/lookups/local_posix_identities.csv
The second lookup contains directory users and can be populated by scheduling the following search to run periodically with the SA-ldapsearch app (https://splunkbase.splunk.com/app/1151/):
| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities
Within 5 minutes of populating the lookups above, they will automatically be merged into the 'posix_identities' lookup. To check its status, open the 'Help' dashboard and wait until the 'Merged Posix Users' value is greater than zero.
At this point, it's strongly recommended to enable acceleration for the provided 'Auditd' datamodel. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (at least '7 Days', but preferably '1 month' or longer), then click 'Save'. N.B. The Auditd datamodel is quite modest in size - we know from extensive testing that the datamodel acceleration size is only +5% of the raw data.