Configure Linux auditd with Splunk SIEM Integration

Set up auditd with custom security rules, configure Splunk Universal Forwarder for log shipping, and implement real-time monitoring workflows for comprehensive security event tracking and compliance reporting.

Prerequisites

Root access
Splunk indexer configured
Network connectivity to Splunk server

What this solves

Linux audit system (auditd) combined with SIEM integration provides comprehensive security event monitoring, compliance logging, and threat detection capabilities. This setup captures system calls, file access, user activities, and security events, then ships them to Splunk for centralized analysis and alerting.

Step-by-step configuration

Install audit framework

Install auditd and audit utilities for comprehensive system monitoring. The audit framework provides kernel-level event capture and user-space processing tools.

sudo apt update
sudo apt install -y auditd audispd-plugins audit-utils

sudo dnf install -y audit audit-libs audispd-plugins

Configure audit rules for security monitoring

Create comprehensive audit rules covering file access, system calls, privileged operations, and user activities. These rules capture security-relevant events for SIEM analysis.

# Delete existing rules and set buffer size
-D
-b 8192
-f 1

Monitor authentication events
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd

Monitor system configuration changes
-w /etc/hosts -p wa -k network
-w /etc/resolv.conf -p wa -k network
-w /etc/crontab -p wa -k cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /var/spool/cron/ -p wa -k cron

Monitor privileged commands
-w /usr/bin/sudo -p x -k privileged
-w /usr/bin/su -p x -k privileged
-w /bin/mount -p x -k privileged
-w /bin/umount -p x -k privileged
-w /usr/bin/passwd -p x -k privileged

Monitor network configuration
-a always,exit -F arch=b64 -S socket,connect,accept,bind,listen -k network
-a always,exit -F arch=b32 -S socket,connect,accept,bind,listen -k network

Monitor file system operations
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -k delete

Monitor process execution
-a always,exit -F arch=b64 -S execve -k execution
-a always,exit -F arch=b32 -S execve -k execution

Monitor system calls for privilege escalation
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -F success=1 -k privilege_escalation
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -F success=1 -k privilege_escalation

Make configuration immutable
-e 2

Configure auditd daemon settings

Optimize auditd performance and configure log rotation, buffering, and failure handling for production environments.

# Log file configuration
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = adm
priority_boost = 4
flush = INCREMENTAL_ASYNC
freq = 50
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = HOSTNAME
max_log_file = 100
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd

Install Splunk Universal Forwarder

Download and install Splunk Universal Forwarder for shipping audit logs to your Splunk indexer. This lightweight agent handles log forwarding and parsing.

cd /tmp
wget -O splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-x86_64.rpm 'https://download.splunk.com/products/universalforwarder/releases/9.1.2/linux/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-x86_64.rpm'
sudo groupadd splunk
sudo useradd -r -g splunk -d /opt/splunkforwarder -s /bin/bash splunk

sudo dpkg --install /tmp/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-x86_64.rpm

sudo rpm -ivh /tmp/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-x86_64.rpm

Configure Splunk Universal Forwarder

Set up the forwarder to monitor audit logs and configure connection to your Splunk indexer. Replace the indexer address with your actual Splunk server.

sudo chown -R splunk:splunk /opt/splunkforwarder
sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme123
sudo -u splunk /opt/splunkforwarder/bin/splunk stop

[tcpout]
defaultGroup = splunk_indexers

[tcpout:splunk_indexers]
server = 203.0.113.10:9997
compressed = true
useACK = true

[tcpout-server://203.0.113.10:9997]
Replace with your Splunk indexer IP

Configure audit log monitoring

Set up inputs configuration to monitor audit logs with proper source typing and parsing for Splunk ingestion.

[monitor:///var/log/audit/audit.log]
disabled = false
index = security
sourcetype = linux:audit
host_segment = 4

[monitor:///var/log/auth.log]
disabled = false
index = security
sourcetype = linux:auth
host_segment = 4

[monitor:///var/log/secure]
disabled = false
index = security
sourcetype = linux:secure
host_segment = 4

[monitor:///var/log/syslog]
disabled = false
index = security
sourcetype = linux:syslog
host_segment = 4

Configure audit log parsing

Create field extraction and parsing rules for audit events to enable structured searching and analysis in Splunk.

[linux:audit]
KV_MODE = auto
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r?\n)type=
TRUNCATEDE = 10000
TIME_PREFIX = msg=audit\(
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %s.%3N:%f
REPORT-audit = audit_kv
EVAL-vendor_product = "Linux auditd"

[linux:auth]
SHOULD_LINEMERGE = false
TRUNCATE = 10000
KV_MODE = auto
REPORT-auth = auth_extractions

[linux:secure]
SHOULD_LINEMERGE = false
TRUNCATE = 10000
KV_MODE = auto
REPORT-secure = secure_extractions

Create field extraction rules

Define regex patterns to extract key fields from audit logs for structured analysis and alerting.

[audit_kv]
REGEX = (\w+)=([^\s]+)
FORMAT = $1::$2
MV_ADD = true

[auth_extractions]
REGEX = (\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(\S+)\s+(\w+)(?:\[\d+\])?:\s*(.+)
FORMAT = timestamp::$1 host::$2 program::$3 message::$4

[secure_extractions]
REGEX = (\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(\S+)\s+(\w+)(?:\[\d+\])?:\s*(.+)
FORMAT = timestamp::$1 host::$2 program::$3 message::$4

Set up file permissions and ownership

Configure proper ownership and permissions for Splunk to access audit logs. Add the splunk user to the adm group for log file access.

sudo usermod -a -G adm splunk
sudo chmod 640 /var/log/audit/audit.log
sudo chown root:adm /var/log/audit/audit.log
sudo chown -R splunk:splunk /opt/splunkforwarder

Never use chmod 777. It gives every user on the system full access to your files. Instead, fix ownership with chown and use minimal permissions like 640 for log files.

Enable and start services

Start auditd and Splunk Universal Forwarder, then enable them to start on system boot. Verify both services are running correctly.

sudo systemctl enable auditd
sudo systemctl start auditd
sudo systemctl status auditd

sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
sudo systemctl start SplunkForwarder
sudo systemctl status SplunkForwarder

Configure real-time alerting

Set up audit event processing for real-time analysis and alerting. This configuration sends high-priority events immediately to Splunk.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

priority = LOG_INFO
facility = LOG_LOCAL0

Generate test audit events

Create test events to verify audit logging and Splunk forwarding are working correctly. These commands will generate various audit events for validation.

sudo touch /tmp/audit_test_file
sudo chmod 755 /tmp/audit_test_file
sudo rm /tmp/audit_test_file
sudo su - root -c 'whoami'
sudo useradd -r testaudituser
sudo userdel testaudituser

Configure advanced SIEM integration

Set up audit event correlation

Configure audit rules for advanced threat detection and correlation. These rules help identify suspicious activity patterns.

# Monitor for suspicious shell activity
-w /bin/bash -p x -k suspicious_shell
-w /bin/sh -p x -k suspicious_shell
-w /usr/bin/nc -p x -k suspicious_network
-w /usr/bin/netcat -p x -k suspicious_network

Monitor for data exfiltration
-w /usr/bin/wget -p x -k data_exfiltration
-w /usr/bin/curl -p x -k data_exfiltration
-w /usr/bin/scp -p x -k data_exfiltration
-w /usr/bin/rsync -p x -k data_exfiltration

Monitor kernel module operations
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules

Monitor system time changes
-a always,exit -F arch=b64 -S adjtimex,settimeofday,stime -k time_change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -k time_change
-a always,exit -F arch=b64 -S clock_settime -k time_change
-a always,exit -F arch=b32 -S clock_settime -k time_change

Monitor failed login attempts
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins

Configure Splunk searches and alerts

Create saved searches in Splunk for common security scenarios. These searches help detect and alert on suspicious activities.

# Failed login attempts
index=security sourcetype=linux:auth "Failed password" | stats count by src_ip user | where count > 5

Privilege escalation attempts
index=security sourcetype=linux:audit key=privilege_escalation | stats count by exe user | sort -count

Suspicious file deletions
index=security sourcetype=linux:audit key=delete | stats count by exe user | sort -count

Network connections from unusual processes
index=security sourcetype=linux:audit key=network | stats count by exe user | sort -count

Kernel module installations
index=security sourcetype=linux:audit key=kernel_modules | table _time user exe

Time manipulation attempts
index=security sourcetype=linux:audit key=time_change | table _time user exe syscall

Verify your setup

# Check auditd status
sudo systemctl status auditd

Verify audit rules are loaded
sudo auditctl -l

Check Splunk Universal Forwarder status
sudo systemctl status SplunkForwarder

Test log forwarding
sudo /opt/splunkforwarder/bin/splunk list forward-server

Monitor audit log generation
sudo tail -f /var/log/audit/audit.log

Check audit statistics
sudo auditctl -s

Configure monitoring dashboards

This tutorial complements our existing monitoring setup. For comprehensive security monitoring, you can integrate this audit system with Elasticsearch and Kibana for compliance reporting or enhance it with automated compliance scanning using OpenSCAP.

Metric	Splunk Search	Alert Threshold
Failed logins	`sourcetype=linux:auth "Failed password" \| stats count by src_ip`	Count > 5 in 5 minutes
Privilege escalation	`sourcetype=linux:audit key=privilege_escalation`	Any occurrence
File system changes	`sourcetype=linux:audit key=delete`	Count > 10 in 1 hour
Network activity	`sourcetype=linux:audit key=network`	Unusual processes

Common issues

Symptom	Cause	Fix
Audit rules not loading	Syntax errors in rules file	`sudo auditctl -R /etc/audit/rules.d/audit.rules` to test
Splunk not receiving logs	Network connectivity or permissions	Check `/opt/splunkforwarder/var/log/splunk/splunkd.log`
High disk usage	Excessive audit logging	Adjust audit rules or log rotation settings
Permission denied on logs	Incorrect file permissions	`sudo chown root:adm /var/log/audit/audit.log`
Auditd won't start	Configuration errors	Check `journalctl -u auditd` for errors

Next steps

Running this in production?

Want this handled for you? Running this at scale adds a second layer of work: capacity planning, failover drills, cost control, and on-call. Our managed platform covers monitoring, backups and 24/7 response by default.

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Configuration variables
SPLUNK_VERSION="9.1.2"
SPLUNK_BUILD="b6b9c8185839"
SPLUNK_INDEXER=${1:-""}
SPLUNK_PORT=${2:-"9997"}

# Usage message
usage() {
    echo "Usage: $0 <splunk_indexer_ip> [port]"
    echo "Example: $0 192.168.1.100 9997"
    exit 1
}

# Validate arguments
if [[ -z "$SPLUNK_INDEXER" ]]; then
    usage
fi

# Cleanup function
cleanup() {
    echo -e "${RED}[ERROR] Installation failed. Cleaning up...${NC}"
    systemctl stop auditd 2>/dev/null || true
    systemctl stop splunk 2>/dev/null || true
    rm -f /tmp/splunkforwarder-*.rpm /tmp/splunkforwarder-*.deb
}
trap cleanup ERR

# Check if running as root
if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}This script must be run as root${NC}"
    exit 1
fi

echo -e "${BLUE}Linux Audit System with SIEM Integration Setup${NC}"
echo "=============================================="

# Detect distribution and set package manager
echo -e "${YELLOW}[1/9] Detecting distribution...${NC}"
if [[ -f /etc/os-release ]]; then
    . /etc/os-release
    case "$ID" in
        ubuntu|debian)
            PKG_MGR="apt"
            PKG_UPDATE="apt update"
            PKG_INSTALL="apt install -y"
            SPLUNK_PKG="deb"
            ;;
        almalinux|rocky|centos|rhel|ol|fedora)
            PKG_MGR="dnf"
            PKG_UPDATE="dnf makecache"
            PKG_INSTALL="dnf install -y"
            SPLUNK_PKG="rpm"
            # Check if dnf exists, fallback to yum
            if ! command -v dnf &> /dev/null; then
                PKG_MGR="yum"
                PKG_UPDATE="yum makecache"
                PKG_INSTALL="yum install -y"
            fi
            ;;
        amzn)
            PKG_MGR="yum"
            PKG_UPDATE="yum makecache"
            PKG_INSTALL="yum install -y"
            SPLUNK_PKG="rpm"
            ;;
        *)
            echo -e "${RED}Unsupported distribution: $ID${NC}"
            exit 1
            ;;
    esac
    echo -e "${GREEN}Detected: $PRETTY_NAME${NC}"
else
    echo -e "${RED}Cannot detect distribution${NC}"
    exit 1
fi

# Update package repositories
echo -e "${YELLOW}[2/9] Updating package repositories...${NC}"
$PKG_UPDATE

# Install audit framework
echo -e "${YELLOW}[3/9] Installing audit framework...${NC}"
if [[ "$PKG_MGR" == "apt" ]]; then
    $PKG_INSTALL auditd audispd-plugins
else
    $PKG_INSTALL audit audit-libs audispd-plugins
fi

# Configure audit rules
echo -e "${YELLOW}[4/9] Configuring audit rules...${NC}"
cat > /etc/audit/rules.d/audit.rules << 'EOF'
# Delete existing rules and set buffer size
-D
-b 8192
-f 1

# Monitor authentication events
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd

# Monitor system configuration changes
-w /etc/hosts -p wa -k network
-w /etc/resolv.conf -p wa -k network
-w /etc/crontab -p wa -k cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /var/spool/cron/ -p wa -k cron

# Monitor privileged commands
-w /usr/bin/sudo -p x -k privileged
-w /usr/bin/su -p x -k privileged
-w /bin/mount -p x -k privileged
-w /bin/umount -p x -k privileged
-w /usr/bin/passwd -p x -k privileged

# Monitor network configuration
-a always,exit -F arch=b64 -S socket,connect,accept,bind,listen -k network
-a always,exit -F arch=b32 -S socket,connect,accept,bind,listen -k network

# Monitor file system operations
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -k delete

# Monitor process execution
-a always,exit -F arch=b64 -S execve -k execution
-a always,exit -F arch=b32 -S execve -k execution

# Monitor privilege escalation
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -F success=1 -k privilege_escalation
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -F success=1 -k privilege_escalation

# Make configuration immutable
-e 2
EOF

# Configure auditd daemon
echo -e "${YELLOW}[5/9] Configuring auditd daemon...${NC}"
cat > /etc/audit/auditd.conf << 'EOF'
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = adm
priority_boost = 4
flush = INCREMENTAL_ASYNC
freq = 50
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = HOSTNAME
max_log_file = 100
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
EOF

# Download and install Splunk Universal Forwarder
echo -e "${YELLOW}[6/9] Installing Splunk Universal Forwarder...${NC}"
cd /tmp

if [[ "$SPLUNK_PKG" == "deb" ]]; then
    SPLUNK_FILE="splunkforwarder-${SPLUNK_VERSION}-${SPLUNK_BUILD}-linux-2.6-amd64.deb"
    wget -O "$SPLUNK_FILE" "https://download.splunk.com/products/universalforwarder/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILE}"
    dpkg -i "$SPLUNK_FILE"
else
    SPLUNK_FILE="splunkforwarder-${SPLUNK_VERSION}-${SPLUNK_BUILD}-linux-2.6-x86_64.rpm"
    wget -O "$SPLUNK_FILE" "https://download.splunk.com/products/universalforwarder/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILE}"
    rpm -ivh "$SPLUNK_FILE"
fi

# Create splunk user and set permissions
groupadd -f splunk
if ! id splunk &>/dev/null; then
    useradd -r -g splunk -d /opt/splunkforwarder -s /bin/bash splunk
fi
chown -R splunk:splunk /opt/splunkforwarder

# Configure Splunk Universal Forwarder
echo -e "${YELLOW}[7/9] Configuring Splunk Universal Forwarder...${NC}"

# Create inputs.conf
mkdir -p /opt/splunkforwarder/etc/system/local
cat > /opt/splunkforwarder/etc/system/local/inputs.conf << EOF
[monitor:///var/log/audit/audit.log]
disabled = false
sourcetype = linux_audit
index = security

[monitor:///var/log/auth.log]
disabled = false
sourcetype = syslog
index = security

[monitor:///var/log/secure]
disabled = false
sourcetype = syslog
index = security
EOF

# Create outputs.conf
cat > /opt/splunkforwarder/etc/system/local/outputs.conf << EOF
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = ${SPLUNK_INDEXER}:${SPLUNK_PORT}

[tcpout-server://${SPLUNK_INDEXER}:${SPLUNK_PORT}]
EOF

# Set correct permissions
chown -R splunk:splunk /opt/splunkforwarder/etc/system/local
chmod 755 /opt/splunkforwarder/etc/system/local
chmod 644 /opt/splunkforwarder/etc/system/local/*.conf

# Enable boot-start for Splunk
sudo -u splunk /opt/splunkforwarder/bin/splunk enable boot-start --user splunk --accept-license --no-prompt

# Start and enable services
echo -e "${YELLOW}[8/9] Starting services...${NC}"
systemctl enable auditd
systemctl start auditd

systemctl enable splunk
systemctl start splunk

# Configure firewall if active
if systemctl is-active --quiet firewalld; then
    firewall-cmd --permanent --add-port=${SPLUNK_PORT}/tcp
    firewall-cmd --reload
elif systemctl is-active --quiet ufw; then
    ufw allow ${SPLUNK_PORT}/tcp
fi

# Verification
echo -e "${YELLOW}[9/9] Verifying installation...${NC}"

# Check auditd status
if systemctl is-active --quiet auditd; then
    echo -e "${GREEN}✓ Auditd is running${NC}"
else
    echo -e "${RED}✗ Auditd is not running${NC}"
    exit 1
fi

# Check splunk status
if systemctl is-active --quiet splunk; then
    echo -e "${GREEN}✓ Splunk Universal Forwarder is running${NC}"
else
    echo -e "${RED}✗ Splunk Universal Forwarder is not running${NC}"
    exit 1
fi

# Check audit rules
if auditctl -l | grep -q "identity\|network\|privileged"; then
    echo -e "${GREEN}✓ Audit rules are loaded${NC}"
else
    echo -e "${RED}✗ Audit rules are not loaded${NC}"
fi

# Check log files
if [[ -f /var/log/audit/audit.log ]]; then
    echo -e "${GREEN}✓ Audit log file exists${NC}"
else
    echo -e "${RED}✗ Audit log file not found${NC}"
fi

# Cleanup downloaded files
rm -f /tmp/splunkforwarder-*.rpm /tmp/splunkforwarder-*.deb

echo -e "${GREEN}Installation completed successfully!${NC}"
echo -e "${BLUE}Configuration summary:${NC}"
echo "- Audit logs: /var/log/audit/audit.log"
echo "- Splunk forwarder: /opt/splunkforwarder"
echo "- Forwarding to: ${SPLUNK_INDEXER}:${SPLUNK_PORT}"
echo "- Splunk web interface: http://localhost:8089"

Review the script before running. Execute with: bash install.sh

#auditd #siem #splunk #security monitoring #compliance

Configure Linux audit system with SIEM integration for Splunk security monitoring

Prerequisites

What this solves

Step-by-step configuration

Install audit framework

Configure audit rules for security monitoring

Monitor authentication events

Monitor system configuration changes

Monitor privileged commands

Monitor network configuration

Monitor file system operations

Monitor process execution

Monitor system calls for privilege escalation

Make configuration immutable

Configure auditd daemon settings

Install Splunk Universal Forwarder

Configure Splunk Universal Forwarder

Replace with your Splunk indexer IP

Configure audit log monitoring

Configure audit log parsing

Create field extraction rules

Set up file permissions and ownership

Enable and start services

Configure real-time alerting

Generate test audit events

Configure advanced SIEM integration

Set up audit event correlation

Monitor for data exfiltration

Monitor kernel module operations

Monitor system time changes

Monitor failed login attempts

Configure Splunk searches and alerts

Privilege escalation attempts

Suspicious file deletions

Network connections from unusual processes

Kernel module installations

Time manipulation attempts

Verify your setup

Verify audit rules are loaded

Check Splunk Universal Forwarder status

Test log forwarding

Monitor audit log generation

Check audit statistics

Configure monitoring dashboards

Common issues

Next steps

Running this in production?

Related tutorials

Set up NGINX rate limiting and security headers for DDoS protection

Implement Kubernetes network policies for pod-to-pod security and traffic isolation

Configure audit compliance automation with Ansible for security monitoring and reporting

Don't want to manage this yourself?

`Replace with your Splunk indexer IP`