https://community.splunk.com/t5/Getting-Data-In/How-to-implement-rlog-sh-ausearch-utility-for-an-audit-log-of/m-p/589696#M103391 <P>Hi&nbsp;all,</P> <P>Please help with the below.&nbsp; I am using rlog.sh (inbuilt script) provided by Splunk in TA-unix package , to apply ausearch utility for linux audit logs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile_model_prod AUDIT_FILE=/opt/splunklogs_app/audit_prod/audit.log if [ -e $SEEK_FILE ] ; then SEEK=`head -1 $SEEK_FILE` else SEEK=0 echo "0" &gt; $SEEK_FILE fi FILE_LINES=`wc -l $AUDIT_FILE | cut -d " " -f 1` if [ $FILE_LINES -lt $SEEK ] ; then # audit file has wrapped SEEK=0 fi awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR&gt;START { print } END { print NR &gt; OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2&gt;/dev/null | grep -v "^----"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This inbuilt script is converting default format of linux audit logs by applying ausearch utility.<BR /><BR />example below:&nbsp;<BR /><BR /><U>Log input :</U><BR /><BR />type=TTY msg=<FONT color="#008000"><STRONG>audit(1647315634.249:442)</STRONG></FONT>: tty pid=2962 uid=0 auid=1001 ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D<BR /><BR /><U>Log output after using rlog.sh</U><BR /><BR />type=TTY msg=<STRONG><FONT color="#008000">audit(03/15/2022 14:40:34.791:2962)</FONT></STRONG>: tty pid=2962 uid=root auid=root ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D</P> <P>&nbsp;</P> <P>Now I have audit.log being generated in a different format.. like below..<BR /><BR /><U>My audit.log:<BR /><BR /></U><FONT color="#FF0000">(custom audit.log format)</FONT><U><BR /></U><FONT color="#800080">IP: 10.200.30.40 | &lt;158&gt;Mar 11 16:10:24 xxx-yyy-zzz AuditLog type=SYSCALL msg=audit(1646979024.027:1697): arch=c000003e syscall=4 success=yes exit=0 a0=7f1304042410 a1=7f13092f66a0 a2=7f13092f66a0 a3=0 items=1 ppid=1 pid=2270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imfile" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) Hostname=10.200.30.40</FONT></P> <P><FONT color="#FF0000">(default audit.log format)</FONT><BR /><FONT color="#800080">type=USER_TTY msg=audit(1646592289.268:441): pid=2962 uid=0 auid=1001 ses=1368 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=73797374656D63746C2073746174757320727379736C6F67 Hostname=xxx<U><BR /></U></FONT><BR />so basically I will have logs of both default audit log format and this custom format being logged in audit.log. When I apply the rlog.sh/ausearch utility to this log, only logs with default audit.log type are being converted with ausearch utility and sent to output and indexed, the other logs are not even being sent to output.<BR /><BR />Please help.</P> Fri, 18 Mar 2022 15:12:08 GMT bhargavi 2022-03-18T15:12:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-implement-rlog-sh-ausearch-utility-for-an-audit-log-of/m-p/589696#M103391 <P>Hi&nbsp;all,</P> <P>Please help with the below.&nbsp; I am using rlog.sh (inbuilt script) provided by Splunk in TA-unix package , to apply ausearch utility for linux audit logs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile_model_prod AUDIT_FILE=/opt/splunklogs_app/audit_prod/audit.log if [ -e $SEEK_FILE ] ; then SEEK=`head -1 $SEEK_FILE` else SEEK=0 echo "0" &gt; $SEEK_FILE fi FILE_LINES=`wc -l $AUDIT_FILE | cut -d " " -f 1` if [ $FILE_LINES -lt $SEEK ] ; then # audit file has wrapped SEEK=0 fi awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR&gt;START { print } END { print NR &gt; OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2&gt;/dev/null | grep -v "^----"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This inbuilt script is converting default format of linux audit logs by applying ausearch utility.<BR /><BR />example below:&nbsp;<BR /><BR /><U>Log input :</U><BR /><BR />type=TTY msg=<FONT color="#008000"><STRONG>audit(1647315634.249:442)</STRONG></FONT>: tty pid=2962 uid=0 auid=1001 ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D<BR /><BR /><U>Log output after using rlog.sh</U><BR /><BR />type=TTY msg=<STRONG><FONT color="#008000">audit(03/15/2022 14:40:34.791:2962)</FONT></STRONG>: tty pid=2962 uid=root auid=root ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D</P> <P>&nbsp;</P> <P>Now I have audit.log being generated in a different format.. like below..<BR /><BR /><U>My audit.log:<BR /><BR /></U><FONT color="#FF0000">(custom audit.log format)</FONT><U><BR /></U><FONT color="#800080">IP: 10.200.30.40 | &lt;158&gt;Mar 11 16:10:24 xxx-yyy-zzz AuditLog type=SYSCALL msg=audit(1646979024.027:1697): arch=c000003e syscall=4 success=yes exit=0 a0=7f1304042410 a1=7f13092f66a0 a2=7f13092f66a0 a3=0 items=1 ppid=1 pid=2270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imfile" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) Hostname=10.200.30.40</FONT></P> <P><FONT color="#FF0000">(default audit.log format)</FONT><BR /><FONT color="#800080">type=USER_TTY msg=audit(1646592289.268:441): pid=2962 uid=0 auid=1001 ses=1368 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=73797374656D63746C2073746174757320727379736C6F67 Hostname=xxx<U><BR /></U></FONT><BR />so basically I will have logs of both default audit log format and this custom format being logged in audit.log. When I apply the rlog.sh/ausearch utility to this log, only logs with default audit.log type are being converted with ausearch utility and sent to output and indexed, the other logs are not even being sent to output.<BR /><BR />Please help.</P> Fri, 18 Mar 2022 15:12:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-implement-rlog-sh-ausearch-utility-for-an-audit-log-of/m-p/589696#M103391 bhargavi 2022-03-18T15:12:08Z