Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure Splunk to get the aide log file

ck26676
New Member
‎10-26-2023 08:59 AM

I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder  to get it to read the aide.log file.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2023 09:40 AM

Any inputs.conf file other than /opt/splunkforwarder/etc/system/default/inputs.conf.

Best practice is to create your own app (/opt/splunkforwarder/etc/apps/org_aide_inputs, for example) and put the inputs.conf file there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ck26676
New Member
‎10-30-2023 07:54 AM

Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file.

[aide]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s
BREAK_ONLY_BEFORE = ((File:|Directory:))
CHARSET = UTF-8
EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+)
EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2023 06:15 PM

Those settings belong in props.conf on the indexers and heavy forwarders.

BTW, the TIME_PREFIX setting should describe what comes *before* the timestamp and not the timestamp itself.

The inputs.conf file should look a little like this:

[monitor:///path/to/file]
index = foo
sourcetype = mysourcetype
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎11-01-2023 02:43 PM

Just to add to this, for the path in the stanza - make sure you use the correct slashes depending which operating system it is (forward slash for Linux and back slash for Windows).

 

[monitor://<path>]
* Configures a file monitor input to watch all files in the <path> you specify.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitorfilesanddirectorieswithinputs.conf

Windows inputs stanza example:

[monitor://C:\Windows\System32\WindowsUpdate.log]
index = test
sourcetype = my_sourcetype

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...