Hi
I've enabled the script input /opt/splunk/etc/apps/unix/bin/rlog.sh
to read audit events.
However I noticed there are duplicated events by having the same session id.
I've checked the actual /var/log/audit/audit.log itself there are only 30 events.However when I do a search in splunk there are 90 events,almost triple.
I've noticed that in splunk there are 3 similar events of the each session id,thus causing the events to triple.
Any idea?
Seems to work after following the solution here: http://answers.splunk.com/questions/5650/nix-possible-bug-in-rlog-sh-script