Hi,
Can we integrate Audit Trail with Splunk?
That is probably best, since it saves you from having to parse the audit log files.
This the best solution I can think of; the way Audit Trail works is, if you configure it to load data from (e.g) 01-01/2018 to 01-03-2018, Audit Trail server will go to LF Server and get the Audit Logs for these dates (these are text files, which by default are sitting at LF Server but can be configured to sit at other location). LF Audit then imports this data into the database. Therefore, all data is not available in DB and it’s only the configured one. What they could do is, configure LF Audit to sync last X days of data and this way they will have data available in DB and this can then be read by other third party applications.
That is probably best, since it saves you from having to parse the audit log files.
Thanks for validating Brian.
Hi Uzair,
I'd like to share how we implemented an integration with Splunk previously - and is very much aligned with your suggested solution approach. We separated AT service & DB from LFS to balance the high auditing load, but the approach also applies for everything on the same machine.
This can be applicable for many other 3rd party reporting / monitoring systems.