Hi,
I'm trying to extract File, Directory, mtime, ctime from aide.log in Linux systems. So far I set up below in props.conf under Splunk_TA_nix/local. But I don't see the fields showing up on the web (on the left column). What could be the problem? Your help is greatly appreciated. Thanks.
[aide]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s
BREAK_ONLY_BEFORE = ((File:|Directory:))
CHARSET = UTF-8
EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+)
EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
Sample log format is:
File: /usr/share/locale/hu/LC_MESSAGES/gnupg2.mo
Ctime : 2017-06-05 06:32:00 , 2018-09-13 16:37:11
Inode : 1573959 , 1573958
Directory: /usr/share/locale/es/LC_MESSAGES
Mtime : 2018-07-13 10:27:02 , 2018-09-13 16:37:16
Ctime : 2018-07-13 10:27:02 , 2018-09-13 16:37:16
File: /usr/share/locale/es/LC_MESSAGES/sos.mo
Mtime : 2018-04-13 11:05:35 , 2018-07-25 07:00:49
Ctime : 2018-07-13 10:26:14 , 2018-09-13 16:37:16
Inode : 1446886 , 1446885
MD5 : RKLbELKW5HsioSJ7bM9gww== , VgzX3Er81Q8mFGfQjUg6BQ==
RMD160 : PyFCxLjh+5uE3mg7nuqCzyyCebo= , Lr/v1Vcl90MrhP4+pn6eeYCG76g=
SHA256 : dy7si25ohaOYpS5zY/ZUoyvbabd6GoUe , JuioPCXbqvk7vUXVWm3GeX3PBKlrMwuG
File: /usr/share/locale/es/LC_MESSAGES/gnupg2.mo
Ctime : 2017-06-05 06:32:00 , 2018-09-13 16:37:11
Inode : 1446007 , 1446006
Directory: /usr/share/locale/nds/LC_MESSAGES
Mtime : 2018-07-13 10:26:14 , 2018-09-13 16:37:16
Ctime : 2018-07-13 10:26:14 , 2018-09-13 16:37:16
... View more
