*nix app and permissions.

dritan · ‎09-14-2010

This is largely an observation unless i am missing something: on the *nix app of the free version of splunk some files in /var/log directory are exculded from being logged. In fact, the entire /var/log data input is disabled to begin with. Other files and subdirectories are whitelisted and therefore indexable by splunk.

This may become problematic when one wants to see, say, "failed logins" (under Users, Failed Logins menu item in the *nix App). First, the /var/log input must be enabled, second, the/var/log/secure log file should be whitelisted and third, splunk should run as a user with at least read privileges on said locations.

Is there a more direct way of accomplishing this?

dritan

Ledion_Bitincka · ‎09-14-2010

First, to enable the inputs you need to go through the setup of the unix, in Manager > Apps and then click on the Setup link in the Unix app

Second, to get the required data sources (from /var/log) into splunk you'll need to edit the default whitelist under Manager » Data inputs » Files & Directories » /var/log - to index everything simply set this to .*

Not indexing the required data sources to populate the dashboards is a bug, and I've filed an issue SPL-33801

*nix app and permissions.

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio