Hi Everyone,
We have some unix/aix servers, and we want to configure the servers to send the administrative activity logs to Splunk.
Can anybody help me to understand what kind of logs we require, or anyone have experience to advise on that?
HI everyone,
fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file
hi cusello,
unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.
It is very critical to us.Please advice.
Hi rashid47010,
the best solution is to install Splunk_TA_nix App.
Otherwise you have to take:
/var/log/messages
inserting in your Forwarders' inputs.cong the following stanzas:
[monitor:///var/log/secure]
disabled = 0
index = os
sourcetype = linux
[monitor:///var/log/messages]
disabled = 0
index = os
sourcetype = linux
You have to verify if on AIX there are additional logs that you have to take.
Bye.
Giuseppe
Hi rashid47010,
You can install a forwarder on the syslog server and so take logs in Splunk.
You could also use Splunk as syslog concentrator and directly send syslogs to Splunk using UDP or TPC protocols (see network inputs).
Every way the best solution it should be to install a forwarder on each server: In this way you have a more efficient and sure solution.
Efficient because transmission is optimized (bandwidth optimization, compression, ...), sure because forwarder caches logs in case of problems, using syslog you lose logs in case of problems (to not lose logs you should use a Load Balancer and two Splunk Servers as receivers).
So I suggest to you to use syslog only if you cannot use a Forwarder.
Bye.
Giuseppe
hi cusello,
unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.
It is very critical to us.Please advice.
did you tried to configure your props.con with SHOULD_LINEMERGE=true
?
After this you could extract your field using (?ms)
option in your REGEX.
Bye.
Giuseppe
Hi Giuseppe
Thanks for your reply.
My concern is also that what AIX admin should configure on host to sent it to /var/log/messages or /var/log/secure.
in our scenario, all servers are sending logs to one central syslog server.
I believe that in secure logs we are getting authentication logs.