Deployment Architecture

Entire audit log is not forwardering, missing type=PATH entry

djfisher
Explorer

I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.

My example for those linux gurus.

doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...

type CWD cwd=/etc...

type=PATH name="shadow"....

Line type=PATH is not being indexed
Tags (1)
0 Karma

djfisher
Explorer

I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.

Any more suggestions on PATH let me know.

Thanks David

0 Karma

JohnRitter
Engager

I have been struggling with the same problem, and I think just figured it out:

My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:

[linux_audit]
LINE_BREAKER = ^----$

Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.

I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:

[linux_audit]
LINE_BREAKER = (----[\r\n]+)

JohnRitter
Engager

Exactly. Values placed in .../system/local/ files will take precedence over the unix app defaults.

I forget to mention you have to restart Splunk after you make the change (for both versions), and it only affects logs that are indexed after the change & restart. To make it retro-active, you'd have to force it to re-index everything somehow. Since I'm just experimenting at this point, I'll probably just de-install and re-install Splunk to clear it out. There's probably a more graceful way to do it though.

0 Karma

djfisher
Explorer

How did the first option work? You simple make this file and save it to the /local/ directory as props.xml and it will modify linux_audit?

David

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...