Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Entire audit log is not forwardering, missing type=PATH entry

djfisher
Explorer
‎11-04-2010 03:37 PM

I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.

My example for those linux gurus.

doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...

type CWD cwd=/etc...

type=PATH name="shadow"....

Line type=PATH is not being indexed
Tags (1)
0 Karma
Reply

djfisher
Explorer
‎11-09-2010 09:55 PM

I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.

Any more suggestions on PATH let me know.

Thanks David

0 Karma
Reply

JohnRitter
Engager
‎11-05-2010 01:23 AM

I have been struggling with the same problem, and I think just figured it out:

My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:

[linux_audit]
LINE_BREAKER = ^----$

Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.

I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:

[linux_audit]
LINE_BREAKER = (----[\r\n]+)
Reply

JohnRitter
Engager
‎11-08-2010 07:16 PM

Exactly. Values placed in .../system/local/ files will take precedence over the unix app defaults.

I forget to mention you have to restart Splunk after you make the change (for both versions), and it only affects logs that are indexed after the change & restart. To make it retro-active, you'd have to force it to re-index everything somehow. Since I'm just experimenting at this point, I'll probably just de-install and re-install Splunk to clear it out. There's probably a more graceful way to do it though.

0 Karma
Reply

djfisher
Explorer
‎11-08-2010 06:10 PM

How did the first option work? You simple make this file and save it to the /local/ directory as props.xml and it will modify linux_audit?

David

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...