How to convert audit.log data to usernames instead of user id numbers?

I'm using the standard auditd in Linux to capture "permission denied" messages. For some odd reason, auditd likes to store usernames as numbers (eg uid=500 instead of uid=john). It is possible to read audit.log by calling ausearch ... -i which will do the number->name conversion. Is there an easy, painless way to get the converted data in to splunk?

linux

asked 08 Nov '10, 20:41

splukUP
23●5
accept rate: 0%

2 Answers:

oldest newest most voted

You should check out the rlog.sh scripted input provided by the unix app that is shipped with splunk. It will convert ids to names and format timestamps for you. It uses the ausearch command line tool behind the scenes to give you a more human readable format.

Unfortunately, the default readlog.py script (which is used by rlog.sh) contains some silly mistakes that can cause your log to be reprocessed. I'd recommend that you apply the fix that I've come up with, which can be found on this question:

http://answers.splunk.com/questions/5650/nix-possible-bug-in-rlog-sh-script/5725#5725

link

answered 08 Nov '10, 21:39

Lowell ♦
11.1k●9●12●89
accept rate: 41%

0	For those who were still looking for answers after viewing this thread, chech out this link link answered 08 Nov '11, 11:04 jsb22 152●7 accept rate: 17%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

linux ×134

Asked: 08 Nov '10, 20:41

Seen: 1,890 times

Last updated: 08 Nov '11, 11:04

How to convert audit.log data to usernames instead of user id numbers?

Follow this question

Splunk Resources

Related questions