I'm using the standard auditd in Linux to capture "permission denied" messages. For some odd reason, auditd likes to store usernames as numbers (eg uid=500 instead of uid=john). It is possible to read audit.log by calling ausearch ... -i which will do the number->name conversion. Is there an easy, painless way to get the converted data in to splunk?
You should check out the rlog.sh scripted input provided by the unix app that is shipped with splunk. It will convert ids to names and format timestamps for you. It uses the ausearch command line tool behind the scenes to give you a more human readable format.
Unfortunately, the default readlog.py script (which is used by rlog.sh) contains some silly mistakes that can cause your log to be reprocessed. I'd recommend that you apply the fix that I've come up with, which can be found on this question: