Is there any documentation about which files are covered by the pre-canned source types for linux? Specifically, there are two that are fairly similar, linux_messages_syslog: italic*Format found within the Linux log file /var/log/messages*italic and linux_secure: italic*Format for the /var/log/secure file containing all security related messages on a Linux machine*italic.
It's a production machine that I don't have access to, so I can't just guess and check.
Thanks
This doc may help you :
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes
That doesn't map the files to the the sourcetype. It gives an example of one log for that sourcetype.