No logs from journald
blvrkr opened this issue · 3 comments
blvrkr commented
Splunk Universal Forwarder on linux VM can't read logs from journald (e.g. sysmon) due to insufficient permissions.
Encountered on local deployment.
Solution: add splunk user to systemd-journal group
blvrkr commented
When I fixed that in my local setup I realized that sysmon is logging everything what led to ingestion of 5G+ of events from ar-linux box per day.
I've excluded events 11 (FileCreate) and 23 (FileDelete) for now, will need to think what should be included there to not overload Splunk.