I noticed after an internal audit that Splunk is not forwarding the entire audit.log. I am using Linux Redhat 5. All other "types" look to be captured and forwarded. I see that the Type=PATH line (showing file from permission denied entry) is not forwarding. Why would it exclude this line from the audit file? I did index source type as linux_audit, and tried linux_secure and automatic.
My example for those linux gurus.
doing a cat command on /etc/shadow. creates audit entry example type=SYSCALL success=no exe=/bin/cat...
type CWD cwd=/etc...
asked 04 Nov '10, 15:37
I have been struggling with the same problem, and I think just figured it out:
My first solution was for monitoring audit.log as a file (so you get numbers instead of uid's, etc.). I created a file /opt/splunk/etc/system/local/props.xml with the following in it:
Since the audit.log file contains ---- separators between each event, so all lines between the "----" lines can be assumed to be related to the same event. The LINE_BREAKER setting above causes all of the lines (SYSCALL, CWD, PATH) for a single event to be grouped together for indexing and display. I never figured out why the type=PATH lines got dropped but this prevents it when you are monitoring it as a file.
I then started using the "rlog.sh" script to monitor the audits so that it would use ausearch -i to translate the audit information to a more human-readable format. However, the same solution did not work. You have to edit the rlog.sh script so that it stops stripping out the "----" separators. Edit the script and remove the "| grep -v ^----" from the ausearch -i command. Then you can make the same props.xml file as above but use the following LINE_BREAKER value:
I am not using the unix apps. I did make a props.conf file under the local directory. Splunk restarted ok, but PATH is still not getting indexed. I will ask the question to more Splunk guys. Thanks for the response John. As for ID numbers, I just tag the id with the person's last name. (enter manually). Luckily not too many users here to monitor.
Any more suggestions on PATH let me know.
answered 09 Nov '10, 21:55