topic Re: Query information in Security

Query information

rballan2 — Tue, 14 Dec 2021 23:13:24 GMT

Hi,

I have a UNIX server Solaris 8 that ac/behave like a Splunk Proxy server for 2 other UNIX servers Solaris 8.

In other words the 2 Solaris servers send the syslog file to the UNIX Solaris Proxy server.

I am trying to create a query that will shows the events coming from the 2 UNIX Solaris 8 servers.

I run the below query for example:

index=nix* serverproxy*
| eval Status=if(like(source, "%FirstUNIXSolaris8%"), 1, 0)

I am not getting any event that will show the FirstUNIX Solaris8 name/hostname.

Please any suggestion how to create the specific query ?

Thanks, Regards.

Roberto

Re: Query information

ITWhisperer — Tue, 14 Dec 2021 23:24:49 GMT

What do your events look like once they are indexed in splunk? Presumably, host is the proxy server and source is the syslog file? What other fields have been extracted?

Re: Query information

rballan2 — Wed, 15 Dec 2021 10:42:39 GMT

Below is an example of Event when I run the query: index=nix* Proxyservername*

Source is /var/adm/messages and /var/log/secure (UNIX LOGS).

Selected fields are:

host

index

process

source

sourcetype

tag

********************************************

12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/messages
sourcetype = syslog

›
12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/secure
sourcetype = linux_secure
tag = os tag = unix

›
12/12/21
1:31:33.000 PM Column icon

Dec 12 08:31:33 PROXYserver root: [ID 702911 local1.info] ITSEC : UVSCAN : [uvscan check failed]

host = PROXYservr.lmtas.com
index = nixlogsec
process = root
source = /var/adm/messages
sourcetype = syslog
tag = error

›
12/10/21
9:44:31.000 PM Column icon

Dec 10 16:44:31 PROXYserver scsi: [ID 107833 kern.notice] ASC: 0x32 (no defect spare location available), ASCQ: 0x0, FRU: 0x9d

host = PROXYservr.lmtas.com
index = nixlogsec
process = scsi
source = /var/adm/messages
sourcetype = syslog

Re: Query information

ITWhisperer — Wed, 15 Dec 2021 11:43:47 GMT

To me, it doesn't look like there is anything in the event that identifies which server is sending the syslog file to the proxy server. Unless you can see something?

Re: Query information

rballan2 — Wed, 15 Dec 2021 11:53:05 GMT

You are correct, I do not see it either.

We are checking/verifying why we do not see any information that identifies which server (there are 2

UNIX server that are sending data to the Proxy server) is sending the syslog file to the proxy server.

I will update the "query"/messages as soon as I have the information.

Thanks.