https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripted-input-of-ausearch-returns-different-output-compared-to/m-p/112985#M8259 <P>So I found the fix. I should have read the man file for ausearch more carefully. <A href="http://www.linuxcommand.org/man_pages/ausearch8.html">From the documentation for ausearch:</A> </P> <PRE><CODE>--input-logs Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job. </CODE></PRE> <P>This value is defined globally in <CODE>/etc/audit/auditd.conf</CODE> but in this instance we need to tell ausearch that it is ok to use that file.</P> <P>The working command for my scripted input in * <STRONG>get_ausearch.sh</STRONG> * is</P> <P><CODE>sudo /sbin/ausearch --start recent --key testing --input-logs</CODE></P> <P>Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.</P> <P><EM>(Edited with the correct information, my previous answer was slightly incorrect)</EM></P> Wed, 05 Nov 2014 18:17:06 GMT neiljpeterson 2014-11-05T18:17:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripted-input-of-ausearch-returns-different-output-compared-to/m-p/112984#M8258 <P>I am using a scripted input from ausearch to get logs from audit.d</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>[script://./bin/get_ausearch.sh] sourcetype=linux_audit interval=* * * * * </CODE></PRE> <P><STRONG>get_ausearch.sh</STRONG></P> <PRE><CODE>sudo /sbin/ausearch --start recent -k testing </CODE></PRE> <P>I have tested this with <CODE>splunkd</CODE> running as both <CODE>root</CODE> and as <CODE>splunk</CODE>(which is in <CODE>sudoers</CODE>) and I get the same result.</P> <P>The result I get in Splunk is</P> <P><CODE>11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"</CODE></P> <P>This is actual output <EM>from</EM> <CODE>ausearch</CODE> (note the <CODE>ERROR</CODE> and the ``) it is just not the <EM>correct</EM> output.</P> <P><EM>Simultaneously</EM> I can manually run the script (or copy the command verbatim) and get the <EM>correct</EM> results I expect to see.</P> <P>I am also redirected stdout, stderr to files and got the same results.</P> <P>Any idea what is going on here? </P> <PRE><CODE>NOTE I could, of course, monitor the audit.log file itself but I want to filter on the key, and not index all of the audit events. I also realize that the suggested approach is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow and specific monitoring use case, so I am trying to come up with the lightest approach possible. </CODE></PRE> Wed, 05 Nov 2014 16:44:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripted-input-of-ausearch-returns-different-output-compared-to/m-p/112984#M8258 neiljpeterson 2014-11-05T16:44:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripted-input-of-ausearch-returns-different-output-compared-to/m-p/112985#M8259 <P>So I found the fix. I should have read the man file for ausearch more carefully. <A href="http://www.linuxcommand.org/man_pages/ausearch8.html">From the documentation for ausearch:</A> </P> <PRE><CODE>--input-logs Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job. </CODE></PRE> <P>This value is defined globally in <CODE>/etc/audit/auditd.conf</CODE> but in this instance we need to tell ausearch that it is ok to use that file.</P> <P>The working command for my scripted input in * <STRONG>get_ausearch.sh</STRONG> * is</P> <P><CODE>sudo /sbin/ausearch --start recent --key testing --input-logs</CODE></P> <P>Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.</P> <P><EM>(Edited with the correct information, my previous answer was slightly incorrect)</EM></P> Wed, 05 Nov 2014 18:17:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripted-input-of-ausearch-returns-different-output-compared-to/m-p/112985#M8259 neiljpeterson 2014-11-05T18:17:06Z