Solved: Is there a default sourcetype for /opt/log/www1/se...

jagadeeshm · ‎03-15-2017

Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?

source_ip is easy because of the format

user is a little bit tricky because of different format of log lines

Example events -

Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)

In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?

woodcock · ‎03-16-2017

If you are ONLY using this file, then you need this TA:

https://splunkbase.splunk.com/app/3476/

View solution in original post

woodcock · ‎03-16-2017

If you are ONLY using this file, then you need this TA:

https://splunkbase.splunk.com/app/3476/

gcusello · ‎03-16-2017

Hi jagadeeshm,
have you seen:

Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833/);
Splunk App for Unix and Linux (https://splunkbase.splunk.com/app/273/#/overview);
Linux Auditd (https://splunkbase.splunk.com/app/2642/#/overview).

In these apps you can find all the usual definition for unix.

Bye.
Giuseppe

Is there a default sourcetype for /opt/log/www1/secure.log?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk