Recommended configuration for rsyslog server in PE and PC

Question

IHAC who has configured splunk as their remote syslog server. They have also configured “Audit” module for both PE and PC. To test the logging, they are able to see events such as VMs powered off and on in splunk. But they are not able to gather any information on events such as user accounts creation / deletion, as we tried to create some local accounts in PE and PC to test. Do they need to configure anything else to capture such events?

StanleyG · Answer

We have a similar configuration. There is no indication that any audit log events make it to Splunk even when DEBUG or INFO levels are set. This completely defeats the purpose of audit logs since the ones in Prism Central roll off far too fast to be useful.We had hoped to have a facility similar to VMWare in AHV that would allow us to see who modified VMs (power off, delete, etc.). However, we’ve found no way to do this. Very disappointing and potentially a show-stopper since we are required by regulations to store and retain these audit records for a minimum of 18 months.If anyone has had success with this, please let me know.

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded