All Apps and Add-ons

Scripted input of ausearch returns different output compared to when run from the command line

neiljpeterson
Communicator

I am using a scripted input from ausearch to get logs from audit.d

inputs.conf

[script://./bin/get_ausearch.sh]
sourcetype=linux_audit
interval=* * * * *

get_ausearch.sh

sudo /sbin/ausearch --start recent -k testing

I have tested this with splunkd running as both root and as splunk(which is in sudoers) and I get the same result.

The result I get in Splunk is

11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"

This is actual output from ausearch (note the ERROR and the ``) it is just not the correct output.

Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.

I am also redirected stdout, stderr to files and got the same results.

Any idea what is going on here?

NOTE
I could, of course, monitor the  audit.log file itself but I want to filter on the key, 
and not index all of the audit events. I also realize that the suggested approach 
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow 
and specific monitoring use case, so I am trying to come up with the lightest approach possible.
0 Karma
1 Solution

neiljpeterson
Communicator

So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:

--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.

This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.

The working command for my scripted input in * get_ausearch.sh * is

sudo /sbin/ausearch --start recent --key testing --input-logs

Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.

(Edited with the correct information, my previous answer was slightly incorrect)

View solution in original post

0 Karma

neiljpeterson
Communicator

So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:

--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.

This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.

The working command for my scripted input in * get_ausearch.sh * is

sudo /sbin/ausearch --start recent --key testing --input-logs

Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.

(Edited with the correct information, my previous answer was slightly incorrect)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...