-
Notifications
You must be signed in to change notification settings - Fork 11
Installation and Configuration
- Splunk Enterprise 6.3+ / Splunk Cloud
- linux:audit sourcetyped events (see Sourcetype section below)
- Install the linux-auditd app from Splunkbase (https://splunkbase.splunk.com/app/2642/) on your search head/s in the same way as any other app in your environment
- Copy the TA_linux-auditd app from the '$SPLUNK_HOME/etc/apps/linux-auditd/appserver/addons/' folder to '$SPLUNK_HOME/etc/apps/'
- Create the folder '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local'
- Copy '$SPLUNK_HOME/etc/apps/TA_linux-auditd/default/inputs.conf' to '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local/inputs.conf'
- Edit '$SPLUNK_HOME/etc/apps/TA_linux-auditd/local/inputs.conf', changing 'disabled = true' to 'disabled = false' and specifying the index you'd like auditd events to be index in
- It's recommended (but not essential) to install the TA_linux-auditd app on all heavy forwarders and indexers to ensure events are correctly sourcetyped
- Restart Splunk
If you have Enterprise Security, you may wish to also wish to install the 'SA-LinuxAuditd' app from '$SPLUNK_HOME/etc/apps/linux-auditd/appserver/addons/' on your ES search heads. For assistance configuring the correlation search provided, please contact Splunk Professional Services.
It's essential that your Auditd events are sourcetyped correctly. If you install the TA_linux-auditd app on indexers and heavy forwarders, it will ensure that newly ingested events are correctly sourcetyped, however if you have existing events indexed with the vendor's old unscore sourcetype convention (i.e. 'linux_audit') and you wish to use them with this app, then several minor (unsupported) changes must be made.
- Change 'linux:audit' stanza name in 'TA_linux-auditd/default/props.conf' to '[(::){0}linux*audit]' on search heads
- Add 'OR sourcetype=linux_audit' to a local 'auditd_events' eventtype in TA_linux-auditd app on search heads
- Add 'linux_audit' to list of sourcetypes in TA_linux_auditd/lookups/auditd_sourcetypes.csv
- Restart Splunk
After completing the installation steps above, please run the 'Configure' dashboard and wait for all the searches to complete.
The TA_linux-auditd app resolves uid values to posix usernames. For this to occur, two lookups require populating on the search heads. The first contains local users (typically created by package management) and can be extracted from /etc/passwd using the following command:
awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA_linux-auditd/lookups/local_posix_identities.csv
The second lookup contains directory users and can be populated by scheduling the following search to run periodically with the SA-ldapsearch app (https://splunkbase.splunk.com/app/1151/):
| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities
Finally, it's strongly recommended to enable datamodel acceleration. This can be done via the web interface on your search head: Settings -> Data models -> Edit (next to Auditd) -> Edit Acceleration -> Tick the box, and change the Summary Range (preferably All Time), then click Save. After doing so, ensure the datamodel is still available for all apps by clicking 'Edit' next to the Auditd datamodel again -> Edit Permissions -> All Apps -> Save.
To upgrade from Version 1.x to Version 2 of the Linux Auditd app, please remove the old version and its TA_linux-auditd app completely from all Splunk servers, then perform a normal installation as per above.