- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Scripted input of ausearch returns different o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a scripted input from ausearch to get logs from audit.d
inputs.conf
[script://./bin/get_ausearch.sh]
sourcetype=linux_audit
interval=* * * * *
get_ausearch.sh
sudo /sbin/ausearch --start recent -k testing
I have tested this with splunkd running as both root and as splunk(which is in sudoers) and I get the same result.
The result I get in Splunk is
11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"
This is actual output from ausearch (note the ERROR and the ``) it is just not the correct output.
Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.
I am also redirected stdout, stderr to files and got the same results.
Any idea what is going on here?
NOTE
I could, of course, monitor the audit.log file itself but I want to filter on the key,
and not index all of the audit events. I also realize that the suggested approach
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow
and specific monitoring use case, so I am trying to come up with the lightest approach possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
