All Apps and Add-ons

Linux Secure Technology Add-On: auth.log not parsed

test_qweqwe
Builder

Hello.
I'm using Ubuntu 16.04 LTS and collected /var/log/auth.log
Also, on Centos7 with /var/log/secure it's works property.

[monitor:///var/log/auth.log]
disabled = 0

And I have this
alt text
sourcetype shows as syslog not as secure_linux
TA_nix was removed before I installed Linux Secure Technology Add-On.

1 Solution

doksu
SplunkTrust
SplunkTrust

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

View solution in original post

doksu
SplunkTrust
SplunkTrust

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

test_qweqwe
Builder

Later I did it, but it's not helped me.
But, on onother machine with Ubuntu 16.04 it's works good.

0 Karma

kmarciniak
Path Finder

When they say remove Splunk_TA_Nix from the SH before installing, does that requirement also mean remove the Splunk_TA_nix from all indexers, HF's and d/s? Also can disabling the app be sufficient or does the app directory need to be totally removed? I want to just test this out first before removing TA_nix entirely

0 Karma

doksu
SplunkTrust
SplunkTrust

Only removal from the search head is strictly necessary. You could disable the Splunk_TA_nix app instead, but I recommend removal.

0 Karma

kmarciniak
Path Finder

I assume you still need the Splunk_TA_nix on your HF running syslog-ng, indexers for UF's running on linux hosts as these have the props and transforms for these linux logs and the Splunk app for unix and linux is for the SH for visuals. So for the linux secure the requirements are "Splunk app for unix and linux" and "linux_secure" on the SH's and Splunk_TA_nix on Indexers and HF's and I guess UF's too. Is this true?

0 Karma

doksu
SplunkTrust
SplunkTrust

No, I don't recommend Splunk_TA_nix be used at all anywhere in your Splunk environment. Simply configure the inputs.conf monitor stanza for /var/log/auth.log on your universal forwarder with sourcetype=linux_secure, then install the TA-linux_secure app in your search environment and you're done.

There's nothing to be visualised for /var/log/auth.log. If you're looking for Linux performance monitoring, I suggest: https://splunkbase.splunk.com/app/3412/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...