All Apps and Add-ons

Convert audit.log uid to usernames using

Path Finder

I've seen references to leveraging the script in the *NIX app to convert Linux uids and gids in the audit.log to human readable usernames, but I have not found exactly how to use this solution on custom apps. How can I use the in a custom app so the audit.log data coming in is in a human readable format. I assume this is not as simple as placing the file on the indexer, within the app's bin directory?

0 Karma

Re: Convert audit.log uid to usernames using

Path Finder

It appears I figured out the solution. This setup essentially uses a "scripted-input". Add the following to your inputs.conf in your custom-app for your forwarder:

# This script reads the auditd logs translated with ausearch
sourcetype = auditd
source = auditd
interval = 60
index = [INDEX NAME - CHANGE ME (default is "os"]
disabled = 0

Place a copy of the ( leverages and scripts in a directory called "bin" within the root your custom-app on the forwarder. That's it! Now I just need to figure out how to combine the 3 lines generated per log item in the audit.log to read as a single event.

View solution in original post