Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert audit.log data to usernames instead of user id numbers?

splukUP
Engager
‎11-08-2010 08:41 PM

I'm using the standard auditd in Linux to capture "permission denied" messages. For some odd reason, auditd likes to store usernames as numbers (eg uid=500 instead of uid=john). It is possible to read audit.log by calling ausearch ... -i which will do the number->name conversion. Is there an easy, painless way to get the converted data in to splunk?

Tags (1)
Reply

jsb22
Path Finder
‎11-08-2011 11:04 AM

For those who were still looking for answers after viewing this thread, chech out this link

0 Karma
Reply

Lowell
Super Champion
‎11-08-2010 09:39 PM

You should check out the rlog.sh scripted input provided by the unix app that is shipped with splunk. It will convert ids to names and format timestamps for you. It uses the ausearch command line tool behind the scenes to give you a more human readable format.

Unfortunately, the default readlog.py script (which is used by rlog.sh) contains some silly mistakes that can cause your log to be reprocessed. I'd recommend that you apply the fix that I've come up with, which can be found on this question:

http://answers.splunk.com/questions/5650/nix-possible-bug-in-rlog-sh-script/5725#5725

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...