topic Re: How do I collect the results of who/last on unix machines ? in Deployment Architecture

How do I collect the results of who/last on unix machines ?

Hemnaath — Tue, 16 Jan 2018 17:05:31 GMT

Hi Team,

Currently we are requested to set up a monitoring stanza to fetch the wtmpx/utmpx are data file from the remote Solaris machines, similarly wtmp and btmp" are the data files that needs to be monitored from remote linux machine.

wtmpx and utmpx - These two files present under /var/adm/ directory.
wtmp and btmp - These two files present under /var/log/ directory.

Problem Detail:

Since these are the binary files when trying to monitor the file from splunk, I am getting the below WARN message in splunk.

01-16-2018 08:06:47.560 -0500 WARN FileClassifierManager - The file '/var/adm/utmpx' is invalid. Reason: binary
01-16-2018 08:06:46.560 -0500 WARN FileClassifierManager - The file '/var/adm/wtmpx' is invalid. Reason: binary

Requirement :

Need to monitor /var/adm/wtmpx - Binary files that need to be monitored via splunk.

thanks in advance.

Re: How do I collect the results of who/last on unix machines ?

nickhills — Tue, 29 Sep 2020 17:43:57 GMT

Hello.
Your easiest path is to install the Splunk_TA_nix app as it comes with scripted inputs for ‘who’ and ‘last’

The scripts are in the bin folder and are called ‘who.sh’ and ‘lastlogin.sh’

Both of these will read the contents of the binary files and output them in a readable format.

If you use the mechanism from the TA the events will be extracted automatically for you, or you can use the scripts as a starting point for writing your own scripted input.

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Tue, 29 Sep 2020 17:40:37 GMT

Hey I have downloaded the Splunk_TA_nix add on from the splunk base and I have copy/pasted the who.sh and lastlogin.sh in to bin folder of my own app called test-ta-nix and also copy pasted the scripted inputs details in the inputs.conf in the same app.

# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = nix
disabled = 0

# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = nix
disabled = 0 


 [monitor:///var/adm]
 whitelist=(\.log|log$|wtmpx|utmpx|message)
 index=nix
 disable=0

  [monitor:///var/log]
 whitelist=(\.log|log$|secure|message|auth|wtmp|btmp|cron$|\.out)
 blacklist=(lastlog)
 index=nix
 disable=0

Kindly let me know whether I can use the above stanza to fetch the required binary details in to splunk.

thanks in advance.

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 14:34:46 GMT

Hi Nickhill, I tried the below inputs.conf stanza in a test machine to pull the binary data from the Solaris machine but it did not fetching any data from that node.

 # Shows current user sessions
 [script://./bin/who.sh]
 sourcetype = who
 source = who
 interval = 150
 index = nix
 disabled = 0

 # Shows last login time for users who have ever logged in
 [script://./bin/lastlog.sh]
 sourcetype = lastlog
 source = lastlog
 interval = 300
 index = nix
 disabled = 0 


[monitor:///var/adm/wtmpx]
index = nix
disabled = 0

Kindly guide me on this.

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 14:54:02 GMT

Hi All, Can any one guide me on the scripted inputs to pull the who and last data in to splunk.
thanks in advance.

Re: How do I collect the results of who/last on unix machines ?

nickhills — Wed, 17 Jan 2018 14:58:42 GMT

have you tried running the scripts on the command line?
They should provide formatted output if you just execute them with ./xxx.sh

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 15:03:03 GMT

No, I haven't tried executing the script in the remote Solaris node, so you mean to execute the

./who.sh but from which path or a directory we need to execute the script.

Re: How do I collect the results of who/last on unix machines ?

nickhills — Wed, 17 Jan 2018 15:05:10 GMT

from the path that the script is in

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 15:09:45 GMT

okay let me try to execute the ./who.sh on the remote machine under this path

/opt/splunkforwarder/etc/test-ia-unix/bin
./who.sh

it should fetch some out put is that correct!

Re: How do I collect the results of who/last on unix machines ?

nickhills — Wed, 17 Jan 2018 15:27:16 GMT

that is correct
(if the scripts work)

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 15:27:39 GMT

Hey I dn't have an access to the remote test node, i had just copy pasted who.sh and lastlog.sh from the splunk add-on directly not changed their content. So could please let me know whether the below inputs.conf stanza are right.

# Shows current user sessions
  [script://./bin/who.sh]
  sourcetype = who
  source = who
  interval = 150
  index = nix
  disabled = 0

  # Shows last login time for users who have ever logged in
  [script://./bin/lastlog.sh]
  sourcetype = lastlog
  source = lastlog
  interval = 300
  index = nix
  disabled = 0 


 [monitor:///var/adm/wtmpx]
 index = nix
 disabled = 0

I am checking with unix admin to test the same. meanwhile could you please let me know whether the above inputs.conf is correct.

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 17 Jan 2018 17:08:37 GMT

hey we are getting permission denied issue while executing the ./who.sh on the remote node.

/opt/splunkforwarder
bash-3.2$ cd etc/apps/test-ta-nix/bin
bash: cd: etc/apps/test-ta-nix/bin: Permission denied

I could see this error in splunkd.log

01-17-2018 11:55:19.134 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/test-ta-nix/bin/who.sh" /bin/sh: /opt/splunkforwarder/etc/apps/test-ta-nix/bin/who.sh: cannot execute

Re: How do I collect the results of who/last on unix machines ?

nickhills — Wed, 17 Jan 2018 17:51:21 GMT

you need to make sure that the user running splunk forwarder has permission to all the files in the /opt/splunkforwarder folder.
In addition - that user also needs permission (root) to invoke last (any user can normally run who)

When testing the scripts at the command line, you will need to ensure the user has similar access, otherwise you will see the errors in your post.

Suggest you talk to your unix admins to confirm what permissions the processes have/need

Re: How do I collect the results of who/last on unix machines ?

Anam — Tue, 06 Feb 2018 21:37:08 GMT

@hemnaath

Did the answer and the comments help you figure out the answer? If it did, please click accept on the answer.

Thanks

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Wed, 07 Feb 2018 11:18:36 GMT

Hi asiddique, it did not fetch the data from the wtmpx file though I had given the complete permission to execute the commands.

Permission Details:

-rwxrwxr-x 1 splunk splunk 2789 Jan 25 06:52 who.sh

-rwxrwxr-x 1 splunk splunk 2835 Jan 25 06:52 lastlog.sh

-rwxrwxr-x 1 splunk splunk 3091 Jan 25 06:52 common.sh

But still unable to read the binary file from /var/adm/wtmpx , so kindly guide me to enable log monitoring.

thanks in advance.

Re: How do I collect the results of who/last on unix machines ?

dchapin — Fri, 17 Aug 2018 19:02:09 GMT

I was able to achieve this by editing the lastlog.sh script that came with the splunk app. Find the if statement that pertains to the OS you are using. in the CMD variable add sudo to it. now edit the sudoers rules list to add a rule to allow splunk user to run the command.

Re: How do I collect the results of who/last on unix machines ?

Hemnaath — Fri, 24 Aug 2018 09:58:05 GMT

hey dchapin, i had an different issue all together and had fixed it after validating that there were two apps with the same input configuration, executing the lastlog.sh script.

Example : one app with ( Bin and script ) folder and another app was with out bin folder, was taking precedence and as the bin folder was not present there was no data in the indexer and the /splunk inputs status resulted with the script exited with code 1

thanks.