Hi,
I have audit data coming from a port (UDP) to Heavy Forwarder[via syslog] and have to apply rlog.sh on the same.
Just to start, I tried to monitor a custom path rather than the /var/log/audit/audit.log and used rlog.sh script.
Something like this:
[monitor:///vf/home/splunk/Audit_new.log]
[script:///opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh]
sourcetype = auditd_nix
interval = 1
index = vf_os
disabled = 0
passAuth = splunk
Instead of indexing vf/home/splunk/Audit_new.log, SPLUNK indexed /var/log/audit/auditd.log with index=vf_os and sourcetype=auditd_nix and source=/opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh
I want to index the sample file i placed under custom path vf/home/splunk/Audit_new.log with rlog.sh implemented.
Thanks,
Payal
Hi,
If you want to monitor audit.log
from different path then you need to modify rlog.sh
and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh
& due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log]
from inputs.conf
Hi,
If you want to monitor audit.log
from different path then you need to modify rlog.sh
and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh
& due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log]
from inputs.conf
Thanks.
It's working!
As a follow up:
Could you add a second
AUDIT_FILE=<PATH>
To index a second custom audit file path along with the default?