https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214114#M42091 <P>HI everyone,</P> <P>fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file</P> Tue, 17 Jan 2017 09:24:44 GMT rashid47010 2017-01-17T09:24:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214107#M42084 <P>Hi Everyone,</P> <P>We have some unix/aix servers, and we want to configure the servers to send the administrative activity logs to Splunk. </P> <P>Can anybody help me to understand what kind of logs we require, or anyone have experience to advise on that?</P> Wed, 04 Jan 2017 16:29:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214107#M42084 rashid47010 2017-01-04T16:29:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214108#M42085 <P>Hi rashid47010,</P> <P>the best solution is to install Splunk_TA_nix App.</P> <P>Otherwise you have to take:</P> <UL> <LI>/var/log/secure</LI> <LI><P>/var/log/messages<BR /> inserting in your Forwarders' inputs.cong the following stanzas:</P> <P>[monitor:///var/log/secure]<BR /> disabled = 0<BR /> index = os<BR /> sourcetype = linux<BR /> [monitor:///var/log/messages]<BR /> disabled = 0<BR /> index = os<BR /> sourcetype = linux</P></LI> </UL> <P>You have to verify if on AIX there are additional logs that you have to take.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 12:15:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214108#M42085 gcusello 2020-09-29T12:15:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214109#M42086 <P>Hi Giuseppe</P> <P>Thanks for your reply. <BR /> My concern is also that what AIX admin should configure on host to sent it to <STRONG>/var/log/messages</STRONG> or /var/log/secure.</P> <P>in our scenario, all servers are sending logs to one central syslog server.</P> <P>I believe that in secure logs we are getting authentication logs. </P> Wed, 04 Jan 2017 16:58:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214109#M42086 rashid47010 2017-01-04T16:58:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214110#M42087 <P>Hi rashid47010,<BR /> You can install a forwarder on the syslog server and so take logs in Splunk.<BR /> You could also use Splunk as syslog concentrator and directly send syslogs to Splunk using UDP or TPC protocols (see network inputs).<BR /> Every way the best solution it should be to install a forwarder on each server: In this way you have a more efficient and sure solution.<BR /> Efficient because transmission is optimized (bandwidth optimization, compression, ...), sure because forwarder caches logs in case of problems, using syslog you lose logs in case of problems (to not lose logs you should use a Load Balancer and two Splunk Servers as receivers).<BR /> So I suggest to you to use syslog only if you cannot use a Forwarder.<BR /> Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 17:49:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214110#M42087 gcusello 2017-01-04T17:49:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214111#M42088 <P>hi cusello,</P> <P>unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line. <BR /> for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.<BR /> and in splunk it ony shows the first line.</P> <P>It is very critical to us.Please advice.</P> Wed, 11 Jan 2017 05:16:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214111#M42088 rashid47010 2017-01-11T05:16:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214112#M42089 <P>hi cusello,</P> <P>unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line. <BR /> for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.<BR /> and in splunk it ony shows the first line.</P> <P>It is very critical to us.Please advice.</P> Thu, 12 Jan 2017 08:23:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214112#M42089 rashid47010 2017-01-12T08:23:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214113#M42090 <P>did you tried to configure your props.con with <CODE>SHOULD_LINEMERGE=true</CODE>?<BR /> After this you could extract your field using <CODE>(?ms)</CODE> option in your REGEX.<BR /> Bye.<BR /> Giuseppe</P> Thu, 12 Jan 2017 10:17:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214113#M42090 gcusello 2017-01-12T10:17:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214114#M42091 <P>HI everyone,</P> <P>fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file</P> Tue, 17 Jan 2017 09:24:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Unix-AIX-servers-to-forward-administrative/m-p/214114#M42091 rashid47010 2017-01-17T09:24:44Z