Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unix events shows upp in all events

fisk12
Path Finder
‎12-04-2010 11:53 PM

I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.

like this. for every event.

eventtype=auditd Options|
eventtype=cpu Options|
eventtype=df check df host success Options|
eventtype=hardware Options|
eventtype=interfaces Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lastlog Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=openPorts Options|
eventtype=package Options|
eventtype=protocol Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=unix-all-logs Options|
eventtype=usersWithLoginPrivs Options|
eventtype=vmstat memory report resource success vmstat Options|
eventtype=who Options

0 Karma
Reply

stech169
New Member
‎02-27-2012 11:53 AM

You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in //etc/app/unix/default/eventtypes.conf, you don't get any eventtypes for device syslogs. Or look at the stanza for [unix-all-logs] and remove the search parameters that would hit your device syslog files.

In unix app 4.5, I modified as follows:

OLD:
[nix-all-logs]
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

NEW:
[nix-all-logs]
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

0 Karma
Reply

yaraslau_haradz
New Member
‎03-16-2017 08:50 PM

Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk

0 Karma
Reply

fisk12
Path Finder
‎12-16-2010 07:28 PM

Anyone have any idea?

0 Karma
Reply

fisk12
Path Finder
‎12-05-2010 08:55 PM

Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.

search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m

[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"

[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical

How should i set this to get rid of the "unix-all-logs" event?

0 Karma
Reply

fisk12
Path Finder
‎12-11-2010 11:59 PM

Anyone have any ideas?

0 Karma
Reply

southeringtonp
Motivator
‎12-05-2010 01:45 AM

The unix app has a known issue with incorrectly defined eventtypes.

Take a look at this thread:
      http://answers.splunk.com/questions/9194/results-returning-wrong-eventtypes

The gist is that you need to override each of the affected eventtypes and add the missing search= before the search strings.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...