topic Re: Configure Splunk to get the aide log file in Getting Data In

Configure Splunk to get the aide log file

ck26676 — Thu, 26 Oct 2023 15:59:46 GMT

I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder to get it to read the aide.log file.

Re: Configure Splunk to get the aide log file

richgalloway — Thu, 26 Oct 2023 16:40:34 GMT

Any inputs.conf file other than /opt/splunkforwarder/etc/system/default/inputs.conf.

Best practice is to create your own app (/opt/splunkforwarder/etc/apps/org_aide_inputs, for example) and put the inputs.conf file there.

Re: Configure Splunk to get the aide log file

ck26676 — Mon, 30 Oct 2023 15:09:26 GMT

Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file.

[aide] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s BREAK_ONLY_BEFORE = ((File:|Directory:)) CHARSET = UTF-8 EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})) EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})) EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+) EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)

Re: Configure Splunk to get the aide log file

richgalloway — Tue, 31 Oct 2023 01:15:23 GMT

Those settings belong in props.conf on the indexers and heavy forwarders.

BTW, the TIME_PREFIX setting should describe what comes *before* the timestamp and not the timestamp itself.

The inputs.conf file should look a little like this:

[monitor:///path/to/file] index = foo sourcetype = mysourcetype

Re: Configure Splunk to get the aide log file

m_pham — Wed, 01 Nov 2023 21:43:12 GMT

Just to add to this, for the path in the stanza - make sure you use the correct slashes depending which operating system it is (forward slash for Linux and back slash for Windows).

[monitor://<path>]
* Configures a file monitor input to watch all files in the <path> you specify.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitorfilesanddirectorieswithinputs.conf

Windows inputs stanza example:

[monitor://C:\Windows\System32\WindowsUpdate.log]
index = test
sourcetype = my_sourcetype