I've seen references to leveraging the rlog.sh script in the *NIX app to convert Linux uids and gids in the audit.log to human readable usernames, but I have not found exactly how to use this solution on custom apps. How can I use the rlog.sh in a custom app so the audit.log data coming in is in a human readable format. I assume this is not as simple as placing the file on the indexer, within the app's bin directory?
It appears I figured out the solution. This setup essentially uses a "scripted-input". Add the following to your inputs.conf in your custom-app for your forwarder:
# This script reads the auditd logs translated with ausearch
sourcetype = auditd
source = auditd
interval = 60
index = [INDEX NAME - CHANGE ME (default is "os"]
disabled = 0
Place a copy of the common.sh (rlog.sh leverages common.sh) and rlog.sh scripts in a directory called "bin" within the root your custom-app on the forwarder. That's it! Now I just need to figure out how to combine the 3 lines generated per log item in the audit.log to read as a single event.