Good day,
I have installed Splunk ES v9.2.1 on a Linux server (CentOS 7.9). On Splunk ES server, I have installed Splunk Addon for Unix and Linux with all scripts including rlog.sh enabled. I have also configured Splunk Forwarder v9.2.1 a Linux client (CentOS-7.9). Splunk ES server is receiving logs from client as per normal. But I still have a problem with auditd logs coming from client. The USER_CMD part of auditd logs still appear as HEX format, instead of ASCII.
For example, part of the log reads
USER_CMD=636174202F6574632F736861646F77
where I expect a decoded value to be ASCII as in:
USER_CMD=cat /etc/shadow
What am I doing wrong? And what can I do to view auditd logs in Splunk without me as an analyst decode each log entry one at a time?
I'm not 100% sure it will help but TA_nix is not meant for auditd logs. There are at least two different add-ons on splunkbase specifically for auditd logs.