Comments (16)
Have you done anything outside of the instructions? Is the SHC running ES?
from splunk_auditd.
from splunk_auditd.
Apologies for the delay. Are you still experiencing issues? Could you please provide more detail? Which version of Splunk are you running? Have you created a local app import regex in ES to accommodate TA_ named apps? If you're on slack, please message me (trustedsubject) to setup a conference call.
from splunk_auditd.
Here's the app import regex for SplunkEnterpriseSecuritySuite/local/inputs.conf:
[app_imports_update://update_es]
disabled = 0
app_regex = (appsbrowser)|(search)|([ST]A[-].*)|(Splunk[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.*)
from splunk_auditd.
I've just updated the documentation: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#enterprise-security
from splunk_auditd.
from splunk_auditd.
The 'TA Status' pane on the 'Help' dashboard displays 'Working' if the TA is installed (this is determined by using the REST API). If other panes are saying they can't find the Auditd datamodel (which resides in the TA), I strongly suspect a metadata issue caused by ES' app import regex not accommodating the underscore TA naming convention used by the Linux Auditd's technology add-on.
Would you mind sending me the app import stanzas from $SPLUNK_HOME/etc/app/SplunkEnterpriseSecuritySuite/local/inputs.conf on one of the SHC nodes?
from splunk_auditd.
from splunk_auditd.
I've updated the app's contact details here: https://github.com/doksu/splunk_auditd/wiki#support. Feel free to send me an e-mail (PGP encrypted if necessary) so we can have a chat in private.
from splunk_auditd.
I know it is incredibly late but could i perhaps have some help ? We are having this issue too! @doksu
from splunk_auditd.
@warrenmfrancis, what issue is it that you're having? Please provide details.
from splunk_auditd.
@doksu thank you very much for the reply! We are having the "no results found" issue yet the TA is listed as "working"
I am a bit of a splunk noob and would appreciate any help. Thanks in advance!
from splunk_auditd.
@warrenmfrancis, has the configuration (population of the lookups, etc.) been completed as per the documentation?
from splunk_auditd.
@doksu was this the following commands:
awk -F ':' 'BEGIN {print "uid,user"} {print $3","$1}' /etc/passwd > /opt/splunk/etc/apps/TA-linux_auditd/lookups/local_posix_identities.csv
| ldapsearch search="(&(objectclass=user)(uidNumber=*))" attrs="sAMAccountName,uidNumber" | rename sAMAccountName as user, uidNumber as uid | table uid user | outputlookup directory_posix_identities
from splunk_auditd.
For some reason, the app is not finding my index which has all of my audit logs stored. I am using syslog-ng to send logs to splunk not sure if that would make a difference.
from splunk_auditd.
@eljefe-3 that's almost certainly because the events don't have the correct sourcetype.
from splunk_auditd.
Related Issues (20)
- How to configure cloudwatch logs as an input for Linux Auditd app? HOT 1
- Correlationsearches.conf deprecated HOT 1
- Unix HOT 1
- Hostnames in local_posix_identities.csv HOT 1
- Typo with indices
- No result found
- Support for SOFTWARE_UPDATE type events
- Manually adding users to the app
- distinctfields HOT 2
- Replacing host value with node value not working
- Resolving UID to POSIX username HOT 1
- Automatic sourcetype assigment for RAW or ENRICHED auditd log formats HOT 2
- User TTY menu only shows root executed commands HOT 1
- Requirement for Installing Splunk Auditd
- granters is not expanded
- process_name does not handle 0x0 delimiters HOT 1
- SSH logins shown as unknown
- enabled savedsearches by default causing bundle replication issues
- "Dashboard Version Missing" errors when installing latest version of app from Splunkbase on Splunk 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from splunk_auditd.