- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Custom audit path with rlog.sh
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have audit data coming from a port (UDP) to Heavy Forwarder[via syslog] and have to apply rlog.sh on the same.
Just to start, I tried to monitor a custom path rather than the /var/log/audit/audit.log and used rlog.sh script.
Something like this:
[monitor:///vf/home/splunk/Audit_new.log]
[script:///opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh]
sourcetype = auditd_nix
interval = 1
index = vf_os
disabled = 0
passAuth = splunk
Instead of indexing vf/home/splunk/Audit_new.log, SPLUNK indexed /var/log/audit/auditd.log with index=vf_os and sourcetype=auditd_nix and source=/opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh
I want to index the sample file i placed under custom path vf/home/splunk/Audit_new.log with rlog.sh implemented.
Thanks,
Payal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to monitor audit.log from different path then you need to modify rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh & due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log] from inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to monitor audit.log from different path then you need to modify rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh & due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log] from inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
It's working!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a follow up:
Could you add a second
AUDIT_FILE=<PATH>
To index a second custom audit file path along with the default?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
