Lousy eventtypes in Unix add-on: only Unix uses *....

satyenshah · ‎02-28-2019

The Splunk Add-on for Unix and Linux (v6.0.1, the current version) contains a couple of curiously broad eventtype definitions in default/eventtypes.conf:

[nix-all-logs]
search = source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

[nix_errors]
search = (NOT sourcetype=stash) error OR critical OR failure OR fail OR failed OR fatal

Which say that any Splunk search result where the data came from a file with extension ".log", or any search query containing the search term "error", will tag the results with a "nix" eventtype. Even if you are searching IIS or firewall logs, it's tagged nix, which is comical. This raises two questions:

1) what are the implications of the eventtype on day-to-day use? Is the eventtype tag really relevant, or is it legacy from earlier versions of Splunk?
2) has anybody written/deployed a tighter filter for [nix-all-logs] and [nix-errors] than the built-in ones? I imagine just adding 'NOT vendor=Microsoft' would make sense, but I'm sure there's better logic.

lakshman239 · ‎03-01-2019

For 1 - eventtypes and tags are the foundations for datamodels. They are very helpful when you want to group events and tag them. https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Abouteventtypes

For 2 - If you want to create your own version/improve eventtypes, you can create one and store them in local/eventtypes.conf and local/tags.conf for your use case.

Lousy eventtypes in Unix add-on: only Unix uses *.log files?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk