App not populating about splunk_auditd HOT 16 OPEN

Have you done anything outside of the instructions? Is the SHC running ES?

from splunk_auditd.

from splunk_auditd.

Apologies for the delay. Are you still experiencing issues? Could you please provide more detail? Which version of Splunk are you running? Have you created a local app import regex in ES to accommodate TA_ named apps? If you're on slack, please message me (trustedsubject) to setup a conference call.

from splunk_auditd.

Here's the app import regex for SplunkEnterpriseSecuritySuite/local/inputs.conf:

[app_imports_update://update_es]
disabled = 0
app_regex = (appsbrowser)|(search)|([ST]A[-].*)|(Splunk[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.*)

from splunk_auditd.

I've just updated the documentation: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#enterprise-security

from splunk_auditd.

from splunk_auditd.

The 'TA Status' pane on the 'Help' dashboard displays 'Working' if the TA is installed (this is determined by using the REST API). If other panes are saying they can't find the Auditd datamodel (which resides in the TA), I strongly suspect a metadata issue caused by ES' app import regex not accommodating the underscore TA naming convention used by the Linux Auditd's technology add-on.

Would you mind sending me the app import stanzas from $SPLUNK_HOME/etc/app/SplunkEnterpriseSecuritySuite/local/inputs.conf on one of the SHC nodes?

from splunk_auditd.

from splunk_auditd.

I've updated the app's contact details here: https://github.com/doksu/splunk_auditd/wiki#support. Feel free to send me an e-mail (PGP encrypted if necessary) so we can have a chat in private.

from splunk_auditd.

I know it is incredibly late but could i perhaps have some help ? We are having this issue too! @doksu

from splunk_auditd.

@warrenmfrancis, what issue is it that you're having? Please provide details.

from splunk_auditd.

@doksu thank you very much for the reply! We are having the "no results found" issue yet the TA is listed as "working"

I am a bit of a splunk noob and would appreciate any help. Thanks in advance!

from splunk_auditd.

@warrenmfrancis, has the configuration (population of the lookups, etc.) been completed as per the documentation?

from splunk_auditd.

@doksu was this the following commands:

awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA-linux_auditd/lookups/local_posix_identities.csv

| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities

from splunk_auditd.

For some reason, the app is not finding my index which has all of my audit logs stored. I am using syslog-ng to send logs to splunk not sure if that would make a difference.

from splunk_auditd.

@eljefe-3 that's almost certainly because the events don't have the correct sourcetype.

from splunk_auditd.