Thanks for the quick response. I'm very new to Splunk. I am forwarding to an Indexer run by a third party, so determining if anything is working is difficult. The Forwarder is able to access the Solaris audit log file, so based on the Splunk log file I figured the problem is the fact that the Solaris audit log is not text. I used the praudit utility to output the current audit log to a text file in the same directory as the audit log file, but nothing showed up on the Indexer (no problems with RHEL or Windows). Ideas?
... View more