https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108919#M4115 <P>Yes, other kind of data are already sent to Splunk instance and could be searched &amp; reporting. </P> <P>And I tried to use "script input" which using "last" command is not success, due to formatting as below stated.</P> <P><A href="http://splunk-base.splunk.com/answers/5844/can-i-splunk-my-wtmp-files">http://splunk-base.splunk.com/answers/5844/can-i-splunk-my-wtmp-files</A></P> <P>"This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up."</P> <P>[Script Input]<BR /> "/usr/bin/last -f /opt/logs/acctlog/wtmpx.20111114"<BR /> where wtmpx.$DATE$ is the last date "/var/adm/wtmpx" truncated.</P> Tue, 15 Nov 2011 06:49:44 GMT rossikwan 2011-11-15T06:49:44Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108914#M4110 <P>Hi all,</P> <P>My UNIX (Solaris) host installed Splunk universal forwarder in which some kind of monitor in inputs.conf is successful indexed.</P> <P>But I would like to retrieve daily login information for the UNIX servers without luck to retrieve the events from last command.</P> <P>Could anyone here help for the UNIX login info. to br indexed to Splunk? <BR /> Thanks</P> <P>Rossi</P> Mon, 14 Nov 2011 05:33:49 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108914#M4110 rossikwan 2011-11-14T05:33:49Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108915#M4111 <P>Splunk is able to monitor secure log on unix. Is the following setting meet your requirement? </P> <P>configure inputs.conf like as bellow:</P> <P>[monitor://var/log/secure*]<BR /> sourcetype = *******</P> Mon, 28 Sep 2020 10:06:03 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108915#M4111 Takajian 2020-09-28T10:06:03Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108916#M4112 <P>Do you have log data being monitored already? (Is that what you mean by monitor in inputs?) and do you just want to understand how to search the data?</P> Mon, 14 Nov 2011 10:41:21 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108916#M4112 Drainy 2011-11-14T10:41:21Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108917#M4113 <P>By "without luck" are you referring to your attempts to index the wtmp file data?</P> <P>Splunk for Unix and Linux does have inputs and the necessary script to input this data.</P> <P><A href="http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux">http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux</A> is for splunk servers and<BR /> <A href="http://splunk-base.splunk.com/apps/33800/splunk-for-unix-and-linux-technology-add-on">http://splunk-base.splunk.com/apps/33800/splunk-for-unix-and-linux-technology-add-on</A> if you prefer for your Universal Forwarders (if applicable).</P> Mon, 14 Nov 2011 17:00:51 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108917#M4113 mikelanghorst 2011-11-14T17:00:51Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108918#M4114 <P>Those UNIX servers do not have any file named /var/log/secure*</P> Tue, 15 Nov 2011 06:34:22 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108918#M4114 rossikwan 2011-11-15T06:34:22Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108919#M4115 <P>Yes, other kind of data are already sent to Splunk instance and could be searched &amp; reporting. </P> <P>And I tried to use "script input" which using "last" command is not success, due to formatting as below stated.</P> <P><A href="http://splunk-base.splunk.com/answers/5844/can-i-splunk-my-wtmp-files">http://splunk-base.splunk.com/answers/5844/can-i-splunk-my-wtmp-files</A></P> <P>"This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up."</P> <P>[Script Input]<BR /> "/usr/bin/last -f /opt/logs/acctlog/wtmpx.20111114"<BR /> where wtmpx.$DATE$ is the last date "/var/adm/wtmpx" truncated.</P> Tue, 15 Nov 2011 06:49:44 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108919#M4115 rossikwan 2011-11-15T06:49:44Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108920#M4116 <P>Let's check how these apps could be help in this items. Get back here after check, thanks</P> Tue, 15 Nov 2011 06:50:30 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108920#M4116 rossikwan 2011-11-15T06:50:30Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108921#M4117 <P>in UNIX app, there has script to retrieve the last from various OS include IBM AIX, SUN Solaris, Linux different distribution... Thanks.</P> Mon, 21 Nov 2011 07:14:52 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-last-event-var-log-wtmp/m-p/108921#M4117 rossikwan 2011-11-21T07:14:52Z