Teleport Audit Logs, Splunk Universal Forwarder

This post includes instructions for configuring Splunk Universal Forwarder for ingesting Teleport Audit Logs into your Splunk Enterprise Server.

On the server where you are running the Teleport Auth role, do the following.

Note: The below is specific to Ubuntu and may differ slightly for your operating system.

  1. Download the Splunk Forwarder for your distro. The downloads page is located here.
  2. After downloading the universal forwarder, install the packge.
    dpkg -i splunkforwarder...
  3. Enable the forwarder to start at boot. There’s a handy command that will install an init script. For more options (i.e. to use systemd), see this documentation.
    cd /opt/splunkforwarder/bin && ./splunk enable boot-start
  4. Add a forward server.
    ./splunk add forward-server \<splunk-enterprise-host\>:9997 -auth \<username\>:\<password\>
  5. Add a monitor.
    ./splunk add monitor /var/lib/teleport/log/events.log -auth \<username\>:\<password\>
  6. Restart the universal forwarder.
    ./splunk restart
  7. Log in to Teleport to generate a few events.
  8. Verify you are receiving events on the Splunk Enterprise Server.

The Splunk Enterprise Server enables line merge functionality by default. To prevent Splunk from merging lines, you should disable this feature on your Splunk Enterprise Server for Teleport audit events.

On your Splunk Enterprise server, create a props file (typically in /opt/splunk/etc/system/local/props.conf) with the following contents:

[host::\<teleport server name\>]
KV_MODE = json