Hi Farhan,
Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)
The app has three identities lookups it merges together: local, directory and learnt. The first two you’re meant to populate (see here for more details:
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration),
but technically you don’t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ‘learnt’ lookup based upon USER_START events.
Cheers,
Doug
"I've turned SELinux off ... and as per Dan Walsh that's a bad thing." Love it.
Some questions.
1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.
2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?
Thanks,
Farhan