hi all,
I need to send audit logs from RedHat 5.8 to my Splunk Indexer - both machines on the same network.
On RHEL 5.8, I installed rsyslog and configure the following:
rsyslog.conf file
$UDPServerRun 9514
audit.log @< Indexer-IP>:9514
Restarted rsyslog service and confi'ed to survive reboots
I can see the file audit.log is being appended by tailing it.
On Splunk Indexer, I created a new UDP Input.
UDP:9514
SourceType: I tried linux_audit, Linux_messages_syslog,linux_secure
But the Indexer is not receiving the audit.log data from the RHEL system.
What am I missing?
↧