I'm trying to get auditd events into Splunk using the script from the TA-unix app. I get events like the following in _internal:
06-14-2012 18:09:55.042 -0700 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/CentOS_Security/bin/rlog.sh, took 21.93 milliseconds to run, 0 bytes read, exited with code 1
My inputs.conf (note, I've tried both with and without the authPass setting):
[script://./bin/rlog.sh]
sourcetype = auditd
source = auditd
interval = 60
index = security
disabled = 0
passAuth = root
These are the permissions on the audit.log file:
-rw------- 1 root root 1326504 Jun 14 18:15 audit.log
If I su to Splunk and run the script, I get nothing. If I run it as root, I see events.
Any ideas? I notice in the TA-unix app's inputs.conf file, it doesn't use the passAuth line.
Thx.
Craig
I have a different issue with rlog.sh, but the permission issue for the audit.log is pretty easy to fix, assuming you can change /etc/audit/auditd.conf
Just add "log_group = splunk" to your auditd.conf file (assuming your splunk user is a member of the "splunk" group. Personally, I have my config management add the splunk user to the "adm" group, as that gets it read rights to just about all the logfiles, then you could make the auditd.conf file have log_group=adm and you would still be ok.
It looks like the user that splunk is running as does not have the right permissions to access /var/log/audit/audit.log
. This is generally true is most Linux systems where only root has access to /var/log/*
files.
Solution: (1) run splunk as root or (2) and more preferably, give splunk read permissions on that file - or on the entire /var/log/
dir.
Hope this helps.
One option would be to change the group of the audit.log in /etc/audit/audit.rules to say 'adm' and make 'splunk' user a member of 'adm' group, so splunk process can read /var/log/audit/audit.log files. ['audit' directory should have 'adm' group as well or 'read' access for 'adm'.
No. The passAuth=root passes an authentication code for the splunk account root if it exists and not the OS account root.
Is it not possible to get Splunk to run the script as root using passAuth = root?
I should add that running the ausearch command manually gives me:
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)