I'm using the standard auditd in Linux to capture "permission denied" messages. For some odd reason, auditd likes to store usernames as numbers (eg uid=500 instead of uid=john ). It is possible to read audit.log by calling ausearch ... -i which will do the number->name conversion. Is there an easy, painless way to get the converted data in to splunk?
... View more