Troubleshooting

Security Operations Centre dashboard is slow

Enable 'Auditd' datamodel acceleration with a "Summary Range" of at least 7 days.

Security Operations Centre dashboard displays list of decommissioned hosts as 'missing'

You need to add those hosts to the 'auditd_decommissioned_hosts' lookup. Please watch the User Guide video for more information.

User TTY dashboard displays nothing

Keystroke logging needs to be enabled for these event to be logged. Please see About Auditd for more information.

Help dashboard's TA Status pane says "TA NOT INSTALLED"

You need to install the TA-linux_auditd app from https://splunkbase.splunk.com/app/4232/ Please see Installation and Configuration for more information.

Help dashboard's TA Status pane says "TA VERSION MISMATCH"

You need to install the latest TA-linux_auditd app from https://splunkbase.splunk.com/app/4232/ Please see the Upgrade instructions in Installation and Configuration for more information.

Help dashboard displays uid conflicts

This is a warning that users in the lookups have conflicting uids. Please watch the User Guide video for more information.