Got a request to capture Solaris /var/adm/wtmpx data in splunk. For testing purpose, downloaded the Splunk Add-on for UNIX and Linux from splunk base 5.2.4 and created a app called Test-IA-wtmpx and deployed via deployment server to remote Solaris test machine. With the following configuration details:
/opt/splunk/etc/apps/Test-IA-wtmpx/
/bin/ before deploying to remote Solaris machine lastlog.sh who.sh executable are given required permission by executing the "chmod +x" on the .sh files
Created a local directory with below configuration in the inputs.conf
**Testing to pull the data file wtmpx**
#Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = unix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = unix
disabled = 0
[monitor:///var/adm/wtmpx]
index = unix
disabled = 0
In forwarder management console Test-IA-wtmpx app was enabled and the restart option was also kept enabled, so that whenever the app is reloaded from DP instance the app should get restarted.
But still, I could not see the data being ingested in to splunk by executing the below simple query.
index=unix source="/var/adm/wtmpx.txt" host=node1
Can any one correct me if this is not the correct procedure to capture the wtmpx data in splunk.
... View more