All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scripted input of ausearch returns different output compared to when run from the command line

neiljpeterson
Communicator
‎11-05-2014 08:44 AM

I am using a scripted input from ausearch to get logs from audit.d

inputs.conf

[script://./bin/get_ausearch.sh]
sourcetype=linux_audit
interval=* * * * *

get_ausearch.sh

sudo /sbin/ausearch --start recent -k testing

I have tested this with splunkd running as both root and as splunk(which is in sudoers) and I get the same result.

The result I get in Splunk is

11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"

This is actual output from ausearch (note the ERROR and the ``) it is just not the correct output.

Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.

I am also redirected stdout, stderr to files and got the same results.

Any idea what is going on here? 

NOTE
I could, of course, monitor the  audit.log file itself but I want to filter on the key, 
and not index all of the audit events. I also realize that the suggested approach 
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow 
and specific monitoring use case, so I am trying to come up with the lightest approach possible.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neiljpeterson
Communicator
‎11-05-2014 10:17 AM

So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch: 

--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.

This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.

The working command for my scripted input in * get_ausearch.sh * is

sudo /sbin/ausearch --start recent --key testing --input-logs

Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.

(Edited with the correct information, my previous answer was slightly incorrect)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

neiljpeterson
Communicator
‎11-05-2014 10:17 AM

So I found the fix. I should have read the man file for ausearch more carefully. From the documentation for ausearch: 

--input-logs
Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job.

This value is defined globally in /etc/audit/auditd.conf but in this instance we need to tell ausearch that it is ok to use that file.

The working command for my scripted input in * get_ausearch.sh * is

sudo /sbin/ausearch --start recent --key testing --input-logs

Even though this isn't strictly a cron job, this is the only reasonable explanation I can find. Someone please correct me if I am wrong.

(Edited with the correct information, my previous answer was slightly incorrect)

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top