I'm trying to get auditd events into Splunk using the rlog.sh script from the Splunk Add-on for Unix and Linux. It isn't working.
The audit logs are not being ingested. No errors are appearing in index=_internal for the host. It is successfully scheduled through the ExecProcessor component:
0400 INFO ExecProcessor [1975905 ExecProcessor] - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix_l1_inputs/bin/rlog.sh
To attempt to address the problem I have done the following:
- Had the host owner ensure dependent utilities are installed (listed in https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Requirements#Dependencies).
- Had the host owner change the log_group from root to splunk in /etc/audit/auditd.conf (suggested in https://community.splunk.com/t5/All-Apps-and-Add-ons/Can-t-get-rlog-sh-to-run/m-p/76143).
When executing rlog in debug mode (./rlog.sh --debug) we get the following output:
- As splunk user:
Blank output
- As root user:
Expected output
Additional details:
- This host was recently rebuilt. Before the rebuild the audit logs on this host were ingesting successfully through the Add-On.
- Other scripts through the Add-On are working on this host.
- This problem has not materialized on any of our other hosts utilizing the Add-On.
Thanks in advance for your input!