All Apps and Add-ons

Can't get rlog.sh to run

responsys_cm
Builder

I'm trying to get auditd events into Splunk using the script from the TA-unix app. I get events like the following in _internal:

06-14-2012 18:09:55.042 -0700 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/CentOS_Security/bin/rlog.sh, took 21.93 milliseconds to run, 0 bytes read, exited with code 1

My inputs.conf (note, I've tried both with and without the authPass setting):

[script://./bin/rlog.sh]

sourcetype = auditd

source = auditd

interval = 60

index = security

disabled = 0

passAuth = root

These are the permissions on the audit.log file:

-rw------- 1 root root 1326504 Jun 14 18:15 audit.log

If I su to Splunk and run the script, I get nothing. If I run it as root, I see events.

Any ideas? I notice in the TA-unix app's inputs.conf file, it doesn't use the passAuth line.

Thx.

Craig

0 Karma

jgoddard
Path Finder

I have a different issue with rlog.sh, but the permission issue for the audit.log is pretty easy to fix, assuming you can change /etc/audit/auditd.conf

Just add "log_group = splunk" to your auditd.conf file (assuming your splunk user is a member of the "splunk" group. Personally, I have my config management add the splunk user to the "adm" group, as that gets it read rights to just about all the logfiles, then you could make the auditd.conf file have log_group=adm and you would still be ok.

0 Karma

_d_
Splunk Employee
Splunk Employee

It looks like the user that splunk is running as does not have the right permissions to access /var/log/audit/audit.log. This is generally true is most Linux systems where only root has access to /var/log/* files.

Solution: (1) run splunk as root or (2) and more preferably, give splunk read permissions on that file - or on the entire /var/log/ dir.

Hope this helps.

lakshman239
SplunkTrust
SplunkTrust

One option would be to change the group of the audit.log in /etc/audit/audit.rules to say 'adm' and make 'splunk' user a member of 'adm' group, so splunk process can read /var/log/audit/audit.log files. ['audit' directory should have 'adm' group as well or 'read' access for 'adm'.

0 Karma

BobM
Builder

No. The passAuth=root passes an authentication code for the splunk account root if it exists and not the OS account root.

0 Karma

responsys_cm
Builder

Is it not possible to get Splunk to run the script as root using passAuth = root?

0 Karma

responsys_cm
Builder

I should add that running the ausearch command manually gives me:

Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...