topic Solaris monitoring using Splunk in All Apps and Add-ons

Solaris monitoring using Splunk

catch_mili — Fri, 15 Feb 2013 12:02:51 GMT

I am New to Spluk & installed indexer on windows server & forwarder on Solaris Sparc.
Now I would like monitor below types of

Change in system value
Pkg installation details ( if any new package installed, that should detect by Splunk)

Re: Solaris monitoring using Splunk

MuS — Fri, 15 Feb 2013 13:27:30 GMT

Hi catch_mili

you can either monitor the /var/sadm/pkg directory for package installation or run scripted input from pkginfo -l.
What do you mean by

Change in system value

do you want monitor /etc/system ?

cheers,
MuS

Re: Solaris monitoring using Splunk

Ayn — Fri, 15 Feb 2013 13:41:00 GMT

Also I do think this is more of a Solaris question than a Splunk question. "How can I monitor this in Solaris?" is one question - after that it's just a matter of getting that data into Splunk.

Re: Solaris monitoring using Splunk

colbra — Fri, 15 Feb 2013 14:16:46 GMT

Here are some of the most likely logs you will want to monitor:

/var/log/sulog

The sulog file, /var/adm/sulog, is a log containing all attempts (whether successful or not) of the su command.

/var/adm/loginlog

Unsuccessful login attempts after five consecutive failures are logged in the file /var/adm/loginlog

/var/adm/messages

This log records system console output and syslog messages.

/var/adm/pacct

This log records the commands run by all users. Process accounting must be turned on before this file is generated.

/var/adm/messages

This file is a catch-all log file for a number of messages from the UNIX kernel as well as for other logging applications such as syslogd. The file is formatted as an ASCII text file and entries are usually one record per line with new entries appended to the end of the file.

You can use the [Monitor] directive to monitor the log files:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories