Hi, new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.
I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after: . @{my.server.ip.address}
splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.
Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.
thank you for any help! -a