Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure Splunk to get the aide log file

ck26676
New Member
‎10-26-2023 08:59 AM

I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder  to get it to read the aide.log file.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2023 09:40 AM

Any inputs.conf file other than /opt/splunkforwarder/etc/system/default/inputs.conf.

Best practice is to create your own app (/opt/splunkforwarder/etc/apps/org_aide_inputs, for example) and put the inputs.conf file there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ck26676
New Member
‎10-30-2023 07:54 AM

Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file.

[aide]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s
BREAK_ONLY_BEFORE = ((File:|Directory:))
CHARSET = UTF-8
EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+)
EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2023 06:15 PM

Those settings belong in props.conf on the indexers and heavy forwarders.

BTW, the TIME_PREFIX setting should describe what comes *before* the timestamp and not the timestamp itself.

The inputs.conf file should look a little like this:

[monitor:///path/to/file]
index = foo
sourcetype = mysourcetype
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎11-01-2023 02:43 PM

Just to add to this, for the path in the stanza - make sure you use the correct slashes depending which operating system it is (forward slash for Linux and back slash for Windows).

 

[monitor://<path>]
* Configures a file monitor input to watch all files in the <path> you specify.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitorfilesanddirectorieswithinputs.conf

Windows inputs stanza example:

[monitor://C:\Windows\System32\WindowsUpdate.log]
index = test
sourcetype = my_sourcetype

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...