No logs from journald - Githubissues

splunk / attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

Apache License 2.0

2.15k stars 357 forks source link

No logs from journald #830

Closed blvrkr closed 1 year ago

blvrkr commented 1 year ago

Splunk Universal Forwarder on linux VM can't read logs from journald (e.g. sysmon) due to insufficient permissions. Encountered on local deployment.

Solution: add splunk user to systemd-journal group

blvrkr commented 1 year ago

PR #831

blvrkr commented 1 year ago

When I fixed that in my local setup I realized that sysmon is logging everything what led to ingestion of 5G+ of events from ar-linux box per day. I've excluded events 11 (FileCreate) and 23 (FileDelete) for now, will need to think what should be included there to not overload Splunk.

blvrkr commented 1 year ago

Resolved in a different way by #834