All Apps and Add-ons
Highlighted

Convert audit.log uid to usernames using rlog.sh

Path Finder

I've seen references to leveraging the rlog.sh script in the *NIX app to convert Linux uids and gids in the audit.log to human readable usernames, but I have not found exactly how to use this solution on custom apps. How can I use the rlog.sh in a custom app so the audit.log data coming in is in a human readable format. I assume this is not as simple as placing the file on the indexer, within the app's bin directory?

0 Karma
Highlighted

Re: Convert audit.log uid to usernames using rlog.sh

Path Finder

It appears I figured out the solution. This setup essentially uses a "scripted-input". Add the following to your inputs.conf in your custom-app for your forwarder:

# This script reads the auditd logs translated with ausearch
[script://./bin/rlog.sh]
sourcetype = auditd
source = auditd
interval = 60
index = [INDEX NAME - CHANGE ME (default is "os"]
disabled = 0

Place a copy of the common.sh (rlog.sh leverages common.sh) and rlog.sh scripts in a directory called "bin" within the root your custom-app on the forwarder. That's it! Now I just need to figure out how to combine the 3 lines generated per log item in the audit.log to read as a single event.

View solution in original post