Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Custom audit path with rlog.sh
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have audit data coming from a port (UDP) to Heavy Forwarder[via syslog] and have to apply rlog.sh on the same.
Just to start, I tried to monitor a custom path rather than the /var/log/audit/audit.log and used rlog.sh script.
Something like this:
[monitor:///vf/home/splunk/Audit_new.log]
[script:///opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh]
sourcetype = auditd_nix
interval = 1
index = vf_os
disabled = 0
passAuth = splunk
Instead of indexing vf/home/splunk/Audit_new.log, SPLUNK indexed /var/log/audit/auditd.log with index=vf_os and sourcetype=auditd_nix and source=/opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh
I want to index the sample file i placed under custom path vf/home/splunk/Audit_new.log with rlog.sh implemented.
Thanks,
Payal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to monitor audit.log from different path then you need to modify rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh & due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log] from inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to monitor audit.log from different path then you need to modify rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh & due to this your monitoring will break.
If you still want to achieve this using custom rlog.sh then change below config in rlog.sh
From
AUDIT_FILE=/var/log/audit/audit.log
To
AUDIT_FILE=/vf/home/splunk/Audit_new.log
And remove [monitor:///vf/home/splunk/Audit_new.log] from inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
It's working!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a follow up:
Could you add a second
AUDIT_FILE=<PATH>
To index a second custom audit file path along with the default?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
