diff --git a/applications/itd/splunk/module.nix b/applications/itd/splunk/module.nix
index 8500a41..52d0e4b 100644
--- a/applications/itd/splunk/module.nix
+++ b/applications/itd/splunk/module.nix
@@ -62,6 +62,13 @@ in {
        "a /home/*/.bash_history    - - - - u:splunk:r"
     ];
 
+    security.auditd = {
+        enable = true;
+        settings = {
+            log_group = cfg.user.group;
+        };
+    };
+
     # set up the core files
     systemd.services."${name}_prestart" = {
       wantedBy = [