topic Re: Pre-canned Linux source types under /var/log in Deployment Architecture

Pre-canned Linux source types under /var/log

klopez30 — Tue, 29 Sep 2020 18:53:09 GMT

Is there any documentation about which files are covered by the pre-canned source types for linux? Specifically, there are two that are fairly similar, linux_messages_syslog: italic*Format found within the Linux log file /var/log/messages*italic and linux_secure: italic*Format for the /var/log/secure file containing all security related messages on a Linux machine*italic.

It's a production machine that I don't have access to, so I can't just guess and check.

Thanks

Re: Pre-canned Linux source types under /var/log

p_gurav — Thu, 05 Apr 2018 13:40:19 GMT

This doc may help you :
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Listofpretrainedsourcetypes

Re: Pre-canned Linux source types under /var/log

klopez30 — Thu, 05 Apr 2018 13:43:46 GMT

That doesn't map the files to the the sourcetype. It gives an example of one log for that sourcetype.