icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Linux Auditd
SHA256 checksum (linux-auditd_310.tgz) 375f25552374ce95f8dd633b1c233b7306ab78175ab4130b0c34b9018789df13 SHA256 checksum (linux-auditd_301.tgz) d0055a7ed36279c1707cdb8757248a267d63c14d46fa709d111fe8bacaf2826a SHA256 checksum (linux-auditd_205.tgz) 5ad8e49a27fd04110107c3e926a9e80173860736f48cebf02228f2c3f895531c SHA256 checksum (linux-auditd_204.tgz) ba5cb31534126d21b44958c31636eecb0a120cfdd15d1bcaf2b6b75c1f84c3b6 SHA256 checksum (linux-auditd_203.tgz) 3d0ffb1523158df70a52a7788cf77d7d04258760933373757fa6380200d05842 SHA256 checksum (linux-auditd_202.tgz) 628260a8d73b04388c9b50fce3a681b117320d28e8f69d6cef33daeed09a5b39 SHA256 checksum (linux-auditd_201.tgz) 474c97757ba41320638f95f068da94bf31ae624936233799796f2719d674c63d SHA256 checksum (linux-auditd_130.tgz) b4b4d7bf9b539bfc3a369e57c60c6e3d8614d28101a7cf08e259c6271bd178ec SHA256 checksum (linux-auditd_120.tgz) 6520428b9a541a6f73e6456caaf32bc109b385f068ff23831bb8997f6faa627d SHA256 checksum (linux-auditd_110.tgz) 7684c9c546c7042ee94d756929143e6265a5c0ec81a37618caa35cd6b32fb754 SHA256 checksum (linux-auditd_101.tgz) c15bdc3e068bee752b29901e81db54e3a2cd8eeee4306ff030cf86d26b53d6b4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Linux Auditd

Splunk Cloud
This app is NOT supported by Splunk. Please read about what that means for you here.
Ever wanted to know who triggered that Linux host in your fleet to shutdown? Perhaps you need a definitive means of determining when and how a service crashes? It may be that you need a one-stop dashboard to check a user's activity across your fleet with a high degree of precision? Or could it be that you're just tired of reading SELinux AVC messages manually? Whatever the use case, if you have a Linux fleet in your organisation, you'll want this app.

For the benefit of other users, please post questions at https://answers.splunk.com unless they are of a private nature, in which case the author can be contacted using the 'Contact Developer' button on this page. PGP public key available via MIT (95B6 922E 47D2 7BC3 D1AF F62C 82BC 992E 7CDD 63B6).

This app is dedicated to my daughter. May this app improve the security of organisations great and small.

Please find documentation here: https://github.com/doksu/splunk_auditd/wiki

Release Notes

Version 3.1.0
Oct. 18, 2019

.conf 2019 release - be sure to attend "ATT&CKing Linux with SPL" session to see the new features.

New Features:
- MITRE ATT&CK eventtypes and tag (TA app)
- MITRE ATT&CK in Auditd data model (TA app)
- SOFTWARE_UPDATE events now supported and report provided

Version 3.0.1
Oct. 14, 2018

Splunk .conf 2018 Edition!

Major Changes:
- Linux Auditd Technology Add-On has been moved out of this parent app and is now available from https://splunkbase.splunk.com/app/4232/
- SA-LinuxAuditd app removed and its correlation search moved to documentation

- PROCTITLE type events now decoded and normalised to CIM
- Syscall dashboard now supports keys
- Colour scheme changed to conform to Splunk 7.1+
- Host dashboard now uses new field in inventory lookup to determine uptime estimate, greatly improving performance
- Anomalous Event Volume pane in SOC dashboard updated to improve detection by accommodating changes to the predict command's LLP5 algorithm

Bug Fixes:
- Indices spelling mistake corrected throughout app
- Security Posture Dashboard's Anomalous Event Volume panel renames (https://answers.splunk.com/answers/691234/linux-auditd-app-is-the-spl-for-the-anomalous-even.html) have been fixed (v3.0.1)

Version 2.0.5
March 13, 2017

This release has important bug fixes for which we recommended upgrading.

Bug Fixes:
- Existing uid=4294967295 entry from learnt_posix_identities lookup no longer populates posix identity lookups
- Changed auditd_node transform regex to prevent inode extraction as host (thanks Max Rizzi for reporting bug)

Version 2.0.4
March 8, 2017

This release has an important bug fix for which we recommended upgrading.

- Added prop/transform extracting "node" as host to support audisp-remote (https://answers.splunk.com/answers/507640/audit-logs-from-multiple-hosts.html)
- Added index=* to searches that populate the auditd_indicies lookup so that if the authorize.conf srchIndexesDefault doesn't include the indicies where Auditd events are being indexed, the lookup will still populate correctly
- Upcoming Fedora releases added to distribution_release.csv

Bug Fixes:
- Unknown users being logged as auid=4294967295 no longer populates learnt_posix_identities lookup

Version 2.0.3
Sept. 13, 2016

- Improved CIM 'app' field normalisation.
- Changed deprecated 'seed' option in kernel dashboard to 'initialValue'
- Removed deprecated 'linkView' attribute from single value panes in dashboards
- Removed duplicate 'dispatch.rt_backfill' option in SA-LinuxAuditd app's savedsearches.conf

Bug Fixes:
- The predict command changed in Splunk 6.4, breaking the Anomalous Event Volume indicator in the SOC dashboard (https://github.com/doksu/splunk_auditd/issues/14)
- The System Call dashboard did not show events from hosts with SELinux disabled (https://github.com/doksu/splunk_auditd/issues/12)

Version 2.0.2
April 3, 2016

The following improvements have been made for certification:
- app.conf updated in SA-LinuxAuditd app
- README added to SA-LinuxAuditd app
- Correlation search in SA-LinuxAuditd app enabled by default

Version 2.0.1
March 29, 2016

New Features:
- 5 new dashboards
- Auditd datamodel
- Correlation Search for Enterprise Security
- Automatically learns about your environment (incl. users and hosts) to provide additional context

- Hex decoding of command and TTY logging
- posix_identities lookup generator now resolves uid conflicts
- Eventtypes behind CIM tags

Please see release notes for further details.

Version 1.3.0
Sept. 21, 2015

Version 1.3.0 is being released to celebrate 600 downloads of the Linux Auditd app and .conf 2015.

New Features:
- Added avc_table(2) macro to automatically correlate and summarise AVC and SYSCALL events - the first argument is the hostname and the second is the domain. To test, search for: avc_table(*,*)

- Added support for RHEL 7's SYSCALL event fields
- Updated welcome dashboard to reflect README

Bug Fixes:
- Fixed dest CIM field mapping
- Fixed auditallow AVC result in TE dashboard
- Fixed typo on welcome dashboard

Version 1.2.0
April 24, 2015

New Features:
- System Call and Type Enforcement dashboards now correlate events (see last pane of each dashboard)
- Added ANOM_ABEND signal lookup (Thanks to Pat Boyne for this feature request)

- New extracted/calculated fields
- Login report improved
- Migrated authentication, alerts and account change CIM tags to tags.conf
- Removed timechart axis labels

Bug Fixes:
- Added dedup in "Rare Vectors" pane of Type Enforcement dashboard
- Fixed typo in installation instructions
- Upgrading app will no longer overwrite existing TA_linux-audit posix lookup files

Version 1.1.0
Feb. 26, 2015

New Features:
- Ability to filter by role in System Call dashboard
- Extraction of subject context fields in non-AVC type events
- Effective User ID resolution

Bug Fixes:
- Posix lookup generator saved search bug that truncated directories with more than 50K users

Version 1.0.1
Feb. 7, 2015

Various minor fixes since submission to Apptitude competition.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.