Deployment Architecture
Highlighted

Custom audit path with rlog.sh

Path Finder

Hi,

I have audit data coming from a port (UDP) to Heavy Forwarder[via syslog] and have to apply rlog.sh on the same.

Just to start, I tried to monitor a custom path rather than the /var/log/audit/audit.log and used rlog.sh script.

Something like this:

[monitor:///vf/home/splunk/Audit_new.log]
[script:///opt/splunk/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh]
sourcetype = auditd_nix
interval = 1
index = vf_os
disabled = 0
passAuth = splunk

Instead of indexing vf/home/splunk/Auditnew.log, SPLUNK indexed /var/log/audit/auditd.log with index=vfos and sourcetype=auditdnix and source=/opt/splunk/splunkforwarder/etc/apps/SplunkTA_nix/bin/rlog.sh

I want to index the sample file i placed under custom path vf/home/splunk/Audit_new.log with rlog.sh implemented.

Thanks,
Payal

0 Karma
Highlighted

Re: Custom audit path with rlog.sh

SplunkTrust
SplunkTrust

Hi,

If you want to monitor audit.log from different path then you need to modify rlog.sh and it is not best practice to modify script shipped with Add-on because when you will upgrade the Splunk Add-on for Linux and Unix it will overwrite rlog.sh & due to this your monitoring will break.

If you still want to achieve this using custom rlog.sh then change below config in rlog.sh

From
AUDIT_FILE=/var/log/audit/audit.log

To
AUDIT_FILE=/vf/home/splunk/Audit_new.log

And remove [monitor:///vf/home/splunk/Audit_new.log] from inputs.conf

View solution in original post

0 Karma
Highlighted

Re: Custom audit path with rlog.sh

Path Finder

Thanks.

It's working!

0 Karma
Highlighted

Re: Custom audit path with rlog.sh

Path Finder

As a follow up:

Could you add a second

AUDIT_FILE=<PATH>

To index a second custom audit file path along with the default?

0 Karma