Splunk Search

Is there a default sourcetype for /opt/log/www1/secure.log?

jagadeeshm
Contributor

Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?

source_ip is easy because of the format

user is a little bit tricky because of different format of log lines

Example events -

Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)

In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?

0 Karma
1 Solution

woodcock
Esteemed Legend

If you are ONLY using this file, then you need this TA:

https://splunkbase.splunk.com/app/3476/

View solution in original post

woodcock
Esteemed Legend

If you are ONLY using this file, then you need this TA:

https://splunkbase.splunk.com/app/3476/

gcusello
SplunkTrust
SplunkTrust

Hi jagadeeshm,
have you seen:

In these apps you can find all the usual definition for unix.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...