I saw someone had this kind of issue last year and did not see an answer. I will explain my situation.

I have an issue with a particular machine using the *NIX app for forwarding audits using the built-in ausearch script. The ausearch option is giving errors and not collecting data. It is working fine on many others running the same software. This was happening with Splunk 4.1.5 and continues with Splunk 4.1.6.

Redhat Linux Enterprise 5.5

option set in *NIX app

Linux Audit Log (/var/log/audit/audit.log | ausearch)

When this is enabled I get this error:

Splunkd.log ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" Traceback (most recent call last): ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" File "/opt/splunk/etc/apps/unix/bin/readlog.py", line 97, in ? ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" print line, ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" IOError: [Errno 32] Broken pipe.

Thinking maybe the rlog.sh script file was corrupted I copied another one from an identical setup and this particular machine gives this error. I can run the ausearch manually on the machine and can also read /var/log/audit/audit.log on Splunk. I added this after I noticed the error and no files being collected from the *NIX ausearch.