Deployment Architecture

Entire audit log is not forwardering, missing type=PATH entry

djfisher
Explorer

I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.

My example for those linux gurus.

doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...

type CWD cwd=/etc...

type=PATH name="shadow"....

Line type=PATH is not being indexed
Tags (1)
0 Karma

djfisher
Explorer

I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.

Any more suggestions on PATH let me know.

Thanks David

0 Karma

JohnRitter
Engager

I have been struggling with the same problem, and I think just figured it out:

My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:

[linux_audit]
LINE_BREAKER = ^----$

Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.

I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:

[linux_audit]
LINE_BREAKER = (----[\r\n]+)

JohnRitter
Engager

Exactly. Values placed in .../system/local/ files will take precedence over the unix app defaults.

I forget to mention you have to restart Splunk after you make the change (for both versions), and it only affects logs that are indexed after the change & restart. To make it retro-active, you'd have to force it to re-index everything somehow. Since I'm just experimenting at this point, I'll probably just de-install and re-install Splunk to clear it out. There's probably a more graceful way to do it though.

0 Karma

djfisher
Explorer

How did the first option work? You simple make this file and save it to the /local/ directory as props.xml and it will modify linux_audit?

David

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...