I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.
My example for those linux gurus.
doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...
type CWD cwd=/etc...
Line type=PATH is not being indexed
I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.
Any more suggestions on PATH let me know.
I have been struggling with the same problem, and I think just figured it out:
My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:
[linux_audit] LINE_BREAKER = ^----$
Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.
I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:
[linux_audit] LINE_BREAKER = (----[\r\n]+)
Exactly. Values placed in .../system/local/ files will take precedence over the unix app defaults.
I forget to mention you have to restart Splunk after you make the change (for both versions), and it only affects logs that are indexed after the change & restart. To make it retro-active, you'd have to force it to re-index everything somehow. Since I'm just experimenting at this point, I'll probably just de-install and re-install Splunk to clear it out. There's probably a more graceful way to do it though.
How did the first option work? You simple make this file and save it to the /local/ directory as props.xml and it will modify linux_audit?