I have audit data coming from a port (UDP) to Heavy Forwarder[via syslog] and have to apply rlog.sh on the same.
Just to start, I tried to monitor a custom path rather than the /var/log/audit/audit.log and used rlog.sh script.
Something like this:
[monitor:///vf/home/splunk/Audit_new.log] [script:///opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh] sourcetype = auditd_nix interval = 1 index = vf_os disabled = 0 passAuth = splunk
Instead of indexing vf/home/splunk/Auditnew.log, SPLUNK indexed /var/log/audit/auditd.log with index=vfos and sourcetype=auditdnix and source=/opt/splunk/splunkforwarder/etc/apps/SplunkTA_nix/bin/rlog.sh
I want to index the sample file i placed under custom path vf/home/splunk/Audit_new.log with rlog.sh implemented.
If you want to monitor
audit.log from different path then you need to modify
rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite
rlog.sh & due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From AUDIT_FILE=/var/log/audit/audit.log To AUDIT_FILE=/vf/home/splunk/Audit_new.log
[monitor:///vf/home/splunk/Audit_new.log] from inputs.conf