Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Entire audit log is not forwardering, missing type=PATH entry

djfisher
Explorer
‎11-04-2010 03:37 PM

I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.

My example for those linux gurus.

doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...

type CWD cwd=/etc...

type=PATH name="shadow"....

Line type=PATH is not being indexed
Tags (1)
0 Karma
Reply

djfisher
Explorer
‎11-09-2010 09:55 PM

I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.

Any more suggestions on PATH let me know.

Thanks David

0 Karma
Reply

JohnRitter
Engager
‎11-05-2010 01:23 AM

I have been struggling with the same problem, and I think just figured it out:

My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:

[linux_audit]
LINE_BREAKER = ^----$

Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.

I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:

[linux_audit]
LINE_BREAKER = (----[\r\n]+)
Reply

JohnRitter
Engager
‎11-08-2010 07:16 PM

Exactly. Values placed in .../system/local/ files will take precedence over the unix app defaults.

I forget to mention you have to restart Splunk after you make the change (for both versions), and it only affects logs that are indexed after the change & restart. To make it retro-active, you'd have to force it to re-index everything somehow. Since I'm just experimenting at this point, I'll probably just de-install and re-install Splunk to clear it out. There's probably a more graceful way to do it though.

0 Karma
Reply

djfisher
Explorer
‎11-08-2010 06:10 PM

How did the first option work? You simple make this file and save it to the /local/ directory as props.xml and it will modify linux_audit?

David

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...