All Apps and Add-ons

Can't get rlog.sh to run

responsys_cm
Builder

I'm trying to get auditd events into Splunk using the script from the TA-unix app. I get events like the following in _internal:

06-14-2012 18:09:55.042 -0700 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/CentOS_Security/bin/rlog.sh, took 21.93 milliseconds to run, 0 bytes read, exited with code 1

My inputs.conf (note, I've tried both with and without the authPass setting):

[script://./bin/rlog.sh]

sourcetype = auditd

source = auditd

interval = 60

index = security

disabled = 0

passAuth = root

These are the permissions on the audit.log file:

-rw------- 1 root root 1326504 Jun 14 18:15 audit.log

If I su to Splunk and run the script, I get nothing. If I run it as root, I see events.

Any ideas? I notice in the TA-unix app's inputs.conf file, it doesn't use the passAuth line.

Thx.

Craig

0 Karma

jgoddard
Path Finder

I have a different issue with rlog.sh, but the permission issue for the audit.log is pretty easy to fix, assuming you can change /etc/audit/auditd.conf

Just add "log_group = splunk" to your auditd.conf file (assuming your splunk user is a member of the "splunk" group. Personally, I have my config management add the splunk user to the "adm" group, as that gets it read rights to just about all the logfiles, then you could make the auditd.conf file have log_group=adm and you would still be ok.

0 Karma

_d_
Splunk Employee
Splunk Employee

It looks like the user that splunk is running as does not have the right permissions to access /var/log/audit/audit.log. This is generally true is most Linux systems where only root has access to /var/log/* files.

Solution: (1) run splunk as root or (2) and more preferably, give splunk read permissions on that file - or on the entire /var/log/ dir.

Hope this helps.

lakshman239
SplunkTrust
SplunkTrust

One option would be to change the group of the audit.log in /etc/audit/audit.rules to say 'adm' and make 'splunk' user a member of 'adm' group, so splunk process can read /var/log/audit/audit.log files. ['audit' directory should have 'adm' group as well or 'read' access for 'adm'.

0 Karma

BobM
Builder

No. The passAuth=root passes an authentication code for the splunk account root if it exists and not the OS account root.

0 Karma

responsys_cm
Builder

Is it not possible to get Splunk to run the script as root using passAuth = root?

0 Karma

responsys_cm
Builder

I should add that running the ausearch command manually gives me:

Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...