I have been struggling with the same problem, and I think just figured it out:
My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:
LINE_BREAKER = ^----$
Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.
I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:
LINE_BREAKER = (----[\r\n]+)
... View more