topic Re: UNIX log parsing issue in Getting Data In

How to fix UNIX log parsing issue?

pm2012 — Mon, 07 Aug 2023 19:19:10 GMT

Hi Team,

I could see logs coming from UNIX devices in the below format

<38>Aug 1 13:20:29 dns.customer.net 10.32.9.5 sshd[14171]: Failed password for michal from 10.32.7.28 port 58255 ssh2

When i look into the selected events on the left panel these logs are not getting parse, like username, source ip , port, protocol. Any suggestion please. Logs are coming through rsyslog mechanism using TCP input from the device

Re: UNIX log parsing issue

jotne — Mon, 07 Aug 2023 05:25:03 GMT

You have the Splunk Add-on for Unix and Linux installed?

Re: UNIX log parsing issue

pm2012 — Mon, 07 Aug 2023 05:31:39 GMT

Yeah it is installed

Re: UNIX log parsing issue

jotne — Mon, 07 Aug 2023 05:44:12 GMT

You are using Smart Mode or Verbose Mode, not Fast Mode

Re: UNIX log parsing issue

pm2012 — Mon, 07 Aug 2023 06:01:05 GMT

Smartmode

Re: UNIX log parsing issue

isoutamo — Mon, 07 Aug 2023 06:48:24 GMT

Can you describe your environment? Single node, distributed environment, OS, have you UF for collection or HF? Is there any HF before your indexers / SH(s)? Where you have installed this TA?

r. Ismo

Re: UNIX log parsing issue

Simple_Search — Mon, 07 Aug 2023 11:24:22 GMT

Based on the tagging of SYSLOG based on the front tag, I would assume that this is being ingested into a syslog server and then sent to an Indexer or Heavy Forwarder. If this is the case, the Splunk Add-on is not going to help you in this situation if this is the case. I usually ingest the data from SYSLOG and then use regex to extract the field names when I am conducting searches.

If this is being monitored on the server that is using a Universal Forwarder, then ensure that you are monitoring the /var/log locations with the splunkbase app on the forwarder and on the indexer.