I am using a scripted input from ausearch to get logs from audit.d
inputs.conf
[script://./bin/get_ausearch.sh]
sourcetype=linux_audit
interval=* * * * *
get_ausearch.sh
sudo /sbin/ausearch --start recent -k testing
I have tested this with splunkd
running as both root
and as splunk
(which is in sudoers
) and I get the same result.
The result I get in Splunk is
11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"
This is actual output from ausearch
(note the ERROR
and the ``) it is just not the correct output.
Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.
I am also redirected stdout, stderr to files and got the same results.
Any idea what is going on here?
NOTE
I could, of course, monitor the audit.log file itself but I want to filter on the key,
and not index all of the audit events. I also realize that the suggested approach
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow
and specific monitoring use case, so I am trying to come up with the lightest approach possible.
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf
but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf
but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)