How to correlate several distinct events linked by...

MarioM · ‎09-16-2014

I need help on correlating several distinct events and different fields (4 fields) linking to each events and doing it without the transaction command because of the performance cost.

event 1 --- field of interest 'msg' ie."msg=audit(1406101599.298:11965)" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=PATH
msg=audit(1406101599.298:11965):
item=0 name="/etc/group"
inode=280905 dev=fd:01 mode=0100644
ouid=0 ogid=0 rdev=00:00
nametype=NORMAL

event 2 --- field of interest 'auid' ie."auid=4294967295" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101599.298:11965):
arch=c000003e syscall=90 success=yes exit=0
a0=1bf1ce0 a1=81a4 a2=48ed57 a3=0
items=1
ppid=27177 pid=27230
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="vi" exe="/bin/vi"
key="Access-change"

event 3 --- field of interest 'pid' ie."pid=27016" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101460.101:11730):
arch=c000003e syscall=2 success=yes exit=4
a0=495340 a1=1 a2=2 a3=8
items=1
ppid=27015 pid=27016
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="pblocald" exe="/usr/sbin/pblocald"
key="logins"

event 4 --- (the link with previous event is pblocald[27016] extracted and aliased to 'pid') --- field of interest 'uniqueid' ie."uniqueid: 0a411a8c53cf67cd5202" --- "source=/var/log/audit/audit.log"

2014-07-23T08:44:20.102759+01:00
nodesrv0001
pblocald[27016]:
pblocald[27015]:
PowerBroker started bash on 2014/07/23 at 8:44,
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF

event 5 ---

2014-07-23T08:44:19.952255+01:00
nodesrv0001
pblocald8.0.0-10:
pblocald[27015]:
PowerBroker accepted bash on 2014/07/23 at 08:44:13 BST,
submitted by sa_jdoe on srv0094
run by root on nodesrv0001
Logserver: logsrv0001 logsrv0002
iolog:/apps/powerbroker/iologs/2014/07/23/084419.sa_jdoe.nodesrv0001.root.bash
ticket_string:
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF

MuS · ‎09-16-2014

Hi MarioM,

usually I use stats, chart, streamstats or eventstats for something like this. Also take a look at this post to get some examples http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

hope this helps ...

cheers, MuS

How to correlate several distinct events linked by multiple different fields without the transaction command?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms