I have tested this with splunkd running as both root and as splunk(which is in sudoers) and I get the same result.
The result I get in Splunk is
11-05-2014 10:17:00.074 -0600 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/myapp/bin/get_ausearch.sh"
This is actual output fromausearch (note the ERROR and the ``) it is just not the correct output.
Simultaneously I can manually run the script (or copy the command verbatim) and get the correct results I expect to see.
I am also redirected stdout, stderr to files and got the same results.
Any idea what is going on here?
I could, of course, monitor the audit.log file itself but I want to filter on the key,
and not index all of the audit events. I also realize that the suggested approach
is to use the rlog.sh from Splunk Add-on for Unix and Linux but this is very narrow
and specific monitoring use case, so I am trying to come up with the lightest approach possible.