Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Scripted input of ausearch returns different outpu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a scripted input from ausearch to get logs from audit.d
inputs.conf
[script://./bin/get_ausearch.sh]
sourcetype=linux_audit
interval=* * * * *
get_ausearch.sh
sudo /sbin/ausearch --start recent -k testing
I have tested this with splunkd running as both root and as splunk(which is in sudoers) and I get the same result.
The result I get in Splunk is
11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"
This is actual output from ausearch (note the ERROR and the ``) it is just not the correct output.
Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.
I am also redirected stdout, stderr to files and got the same results.
Any idea what is going on here?
NOTE
I could, of course, monitor the audit.log file itself but I want to filter on the key,
and not index all of the audit events. I also realize that the suggested approach
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow
and specific monitoring use case, so I am trying to come up with the lightest approach possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch:
--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.
This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.
The working command for my scripted input in * get_ausearch.sh * is
sudo /sbin/ausearch --start recent --key testing --input-logs
Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.
(Edited with the correct information, my previous answer was slightly incorrect)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
