https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34435#M6242 <P>Hi Hexx, Got a request to monitor the wtmpx file in splunk, but I am not sure how to create a script to read and write the data from wtmpx file from /var/adm/wtmpx and output the data into a text file, which splunk can read it. If you can guide me on creating a script, it will be great help.</P> <P>thanks in advance. </P> Wed, 07 Feb 2018 11:10:57 GMT Hemnaath 2018-02-07T11:10:57Z https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34432#M6239 <P>The file <CODE>/var/log/wtmp</CODE> is where most *nix systems keep track of all logins and logouts to the system.</P> <P>The file is not plain text, however, and contains binary data :</P> <PRE><CODE>[root@dirtysanchez ~]# file /var/log/wtmp /var/log/wtmp: data </CODE></PRE> <P>How can Splunk index the contents of that file?</P> Fri, 20 Aug 2010 20:20:53 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34432#M6239 hexx 2010-08-20T20:20:53Z https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34433#M6240 <P>The first thing to do is to convert the file contents to text. For /var/log/wtmp, this will typically be achieved using the "who" and "last" commands, depending on if you want historical data (last) or current data (who).</P> <P>Then, there are two approaches you can take :</P> <UL> <LI><P>Set up a scripted input calling a shell script that executes "who" or "last" with the options you need and that will index the generated output. This is the simplest approach.</P></LI> <LI><P>Write a shell script external to Splunk that periodically reads /var/log/wtmp and writes it's output to a file monitored by Splunk. This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up.</P></LI> </UL> Fri, 20 Aug 2010 20:35:49 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34433#M6240 hexx 2010-08-20T20:35:49Z https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34434#M6241 <P>It's somewhat easier to convert wtmp to text using fwtmp, which is specifically designed for the purpose. On solaris, it's in /usr/lib/acct; on most linux systems, it's part of the acct (GNU account tools) package.</P> <P>fwtmp takes wtmp(x) on standard input and produces lines like this on stdout:</P> <PRE><CODE>pde sshd 12173 8 0000 0000 1282333385 148991 0 0 Fri Aug 20 19:43:05 2010 pde sshd 14663 7 0000 0000 1282340448 321800 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010 pde ts/7 pts/7 14667 7 0000 0000 1282340448 515234 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010 </CODE></PRE> <P>Since the wtmp format is well documented, it should be a fairly trivial exercise to extract the information you require from the text representation of the records.</P> Sat, 21 Aug 2010 05:04:25 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34434#M6241 pde 2010-08-21T05:04:25Z https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34435#M6242 <P>Hi Hexx, Got a request to monitor the wtmpx file in splunk, but I am not sure how to create a script to read and write the data from wtmpx file from /var/adm/wtmpx and output the data into a text file, which splunk can read it. If you can guide me on creating a script, it will be great help.</P> <P>thanks in advance. </P> Wed, 07 Feb 2018 11:10:57 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-Splunk-my-wtmp-files/m-p/34435#M6242 Hemnaath 2018-02-07T11:10:57Z