I am attempting to convert a audit script on my linux audit server into something manageable in Splunk.
Can I use the commands from the script in Splunk?
An ausearch example is below.
- ausearch –k logins and ausearch –m USER_LOGIN
No, ausearch is a unix command. What you can do is write a script that uses ausearch to monitor the audit logs, and have that output indexed. The TA_for_Nix app does that with rlog.sh script.