From Splunk Wiki

Jump to: navigation, search

A lot of operating systems offer the capability to capture audit information. Audit information contains file system audit records, but not only. There are many other audit records that can be captured on operating systems. The methods differ from operating system to operating system.

RedHat Linux

OS X Leopard

Apple provides a Mac OSX Security Configuration document that outlines how to enable auditing on OS X.

You have to first download a tool for your OS X distribution from here: Then follow the documentation on page 202. You basically edit /etc/hostconfig and put


in it. Restart the computer and you will get audit records written in /var/log/audit. The files are in binary form. You have to use praudit to read the audit logs.

  praudit 20071225050142.20071225220015

A sample entry looks like this:

header,50,1,audit startup,0,Wed Sep 17 22:42:15 2008, + 961 msec text,auditd::Audit startup trailer,50

It's multi-line and the timestamp is not the start of the message, so make sure the events are going to break right in Splunk. Use a scripted input that calls a script to execute the praudit command in order to load the data into Splunk. Check the Splunk for UNIX application to see how it is done there for Linux auditd logs.

Solaris 10


On Windows, you have to enable object audit. This is where an example of how to setup auditing for the Windows file system can be found.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk