mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions
TA-unix/bin/rlog.sh

61 lines
2.7 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
#
# credit for improvement to http://splunk-base.splunk.com/answers/41391/rlogsh-using-too-much-cpu
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr
AUDIT_FILE="/var/log/audit/audit.log*"
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand service
assertHaveCommandGivenPath /sbin/ausearch
if [ -n "$(service auditd status 2>/dev/null)" ] && [ "$(service auditd status 2>/dev/null)" ] ; then
CURRENT_TIME=$(date --date="1 seconds ago" "+%x %T") # 1 second ago to avoid data loss
if [ -e "$SEEK_FILE" ] ; then
SEEK_TIME=$(head -1 "$SEEK_FILE")
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -ts $SEEK_TIME -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" < $TMP_ERROR_FILTER_FILE 1>&2
elif [ -e "$OLD_SEEK_FILE" ] ; then
rm -rf "$OLD_SEEK_FILE" # remove previous checkpoint
# start ingesting from the first entry of current audit file
# shellcheck disable=SC2086
awk ' { print } ' $CURRENT_AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
else
# no checkpoint found
# shellcheck disable=SC2086
awk " { print } " $AUDIT_FILE | /sbin/ausearch -i -te $CURRENT_TIME 2>$TMP_ERROR_FILTER_FILE | grep -v "^----";
# shellcheck disable=SC2086
grep -v "<no matches>" <$TMP_ERROR_FILTER_FILE 1>&2
fi
echo "$CURRENT_TIME" > "$SEEK_FILE" # Checkpoint+
else # Added this condition to get error logs
echo "error occured while running 'service auditd status' command in rlog.sh script. Output : $(service auditd status). Command exited with exit code $?" 1>&2
fi
# remove temporary error redirection file if it exists
# shellcheck disable=SC2086
rm $TMP_ERROR_FILTER_FILE 2>/dev/null
elif [ "$KERNEL" = "SunOS" ] ; then
:
elif [ "$KERNEL" = "Darwin" ] ; then
:
elif [ "$KERNEL" = "HP-UX" ] ; then
:
elif [ "$KERNEL" = "FreeBSD" ] ; then
:
fi
Reference in a new issue View git blame Copy permalink