Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unix events shows upp in all events

fisk12
Path Finder
‎12-04-2010 11:53 PM

I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.

like this. for every event.

eventtype=auditd Options|
eventtype=cpu Options|
eventtype=df check df host success Options|
eventtype=hardware Options|
eventtype=interfaces Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lastlog Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=openPorts Options|
eventtype=package Options|
eventtype=protocol Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=unix-all-logs Options|
eventtype=usersWithLoginPrivs Options|
eventtype=vmstat memory report resource success vmstat Options|
eventtype=who Options

0 Karma
Reply

stech169
New Member
‎02-27-2012 11:53 AM

You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in //etc/app/unix/default/eventtypes.conf, you don't get any eventtypes for device syslogs. Or look at the stanza for [unix-all-logs] and remove the search parameters that would hit your device syslog files.

In unix app 4.5, I modified as follows:

OLD:
[nix-all-logs]
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

NEW:
[nix-all-logs]
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

0 Karma
Reply

yaraslau_haradz
New Member
‎03-16-2017 08:50 PM

Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk

0 Karma
Reply

fisk12
Path Finder
‎12-16-2010 07:28 PM

Anyone have any idea?

0 Karma
Reply

fisk12
Path Finder
‎12-05-2010 08:55 PM

Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.

search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m

[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"

[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical

How should i set this to get rid of the "unix-all-logs" event?

0 Karma
Reply

fisk12
Path Finder
‎12-11-2010 11:59 PM

Anyone have any ideas?

0 Karma
Reply

southeringtonp
Motivator
‎12-05-2010 01:45 AM

The unix app has a known issue with incorrectly defined eventtypes.

Take a look at this thread:
      http://answers.splunk.com/questions/9194/results-returning-wrong-eventtypes

The gist is that you need to override each of the affected eventtypes and add the missing search= before the search strings.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...