I'm using the standard auditd in Linux to capture "permission denied" messages. For some odd reason, auditd likes to store usernames as numbers (eg uid=500
instead of uid=john
). It is possible to read audit.log by calling ausearch ... -i
which will do the number->name conversion. Is there an easy, painless way to get the converted data in to splunk?
For those who were still looking for answers after viewing this thread, chech out this link
You should check out the rlog.sh
scripted input provided by the unix
app that is shipped with splunk. It will convert ids to names and format timestamps for you. It uses the ausearch
command line tool behind the scenes to give you a more human readable format.
Unfortunately, the default readlog.py
script (which is used by rlog.sh
) contains some silly mistakes that can cause your log to be reprocessed. I'd recommend that you apply the fix that I've come up with, which can be found on this question:
http://answers.splunk.com/questions/5650/nix-possible-bug-in-rlog-sh-script/5725#5725