I was able to get this working by editting targetConfiguration.xml:
Add a exporter target:
cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)>
e.g: cp_log_export add name splunk target-server XXX.XXX.XXX.XXX target-port 514 protocol udp format cef
edit /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targeConfiguration.xml
edit line:
<log_types></log_types><!--all[default]|log|audit/-->
to:
<log_types>audit</log_types><!--all[default]|log|audit/-->
Run the two commands:
cp_log_export reexport name splunk
cp_log_export start name splunk
All audit type logs will be sent.
[Expert@XXXXXXXXXXX:0]# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 3071 E 1 [21:38:58] 27/4/2018 N cpviewd
CPD 3074 E 1 [21:38:58] 27/4/2018 Y cpd
FWD 3317 E 1 [21:39:13] 27/4/2018 N fwd -n
FWM 3319 E 1 [21:39:13] 27/4/2018 N fwm
STPR 3336 E 1 [21:39:14] 27/4/2018 N status_proxy
SVR 3511 E 1 [21:39:17] 27/4/2018 N SVRServer
CPSEAD 3575 E 1 [21:39:18] 27/4/2018 N cpsead
CPWMD 3603 E 1 [21:39:19] 27/4/2018 N cpwmd -D -app SmartPortal
CPHTTPD 3612 E 1 [21:39:19] 27/4/2018 N cp_http_server -f '/opt/CPportal-R77/portal/conf/cp_httpd_admin.conf'
CP3DLOGD 3643 E 1 [21:39:19] 27/4/2018 N cp3dlogd
SICTUNNEL 3655 E 1 [21:39:19] 27/4/2018 N /opt/CPshrd-R77/bin/cptnl -c "/opt/CPuepm-R77/engine/conf/cptnl_srv.conf"
EPM 0 T 1 [21:39:19] 27/4/2018 N startEngine
DASERVICE 3838 E 1 [21:39:26] 27/4/2018 N DAService_script
CPSM 4316 E 1 [21:39:56] 27/4/2018 N cpstat_monitor
LPD 4659 E 1 [21:40:29] 27/4/2018 N lpd
EXPORTER.splunk 8437 E 1 [21:50:17] 27/4/2018 N /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/log_exporter -export /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targetConfiguration.xml