topic Re: teach splunk to read data from log in Splunk Search

teach splunk to read data from log

fisk12 — Mon, 15 Nov 2010 05:04:37 GMT

I have syslog from a server sending me logs from /var/log/secure (ssh). But splunk can't seem to read out some stuff from it (ex src)

The packet looks like this.

Nov 14 21:50:33 172.28.2.5 sshd[984]: Accepted password for apa from 192.168.1.5 port 42957 ssh2 tag::host=test Options| host=192.168.1.1 Wiki Options

I want the src (192.168.1.5) to appear in the "src" column.

Re: teach splunk to read data from log

treinke — Mon, 15 Nov 2010 21:26:38 GMT

Sounds like you want to do some field extraction. You can give Splunk the field values and then give the results a field name. This is well documented and can be found at:

http://www.splunk.com/base/Documentation/4.1.5/User/InteractiveFieldExtractionExample

Re: teach splunk to read data from log

Genti — Tue, 16 Nov 2010 08:28:29 GMT

IFX works quite well, for me, but if it seems to be failing for you and you are unable to define the regex correctly through it, you could use a custom made regex and use the props.conf way of extracting fields. This is also very well documented at: http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles

Re: teach splunk to read data from log

fisk12 — Fri, 19 Nov 2010 23:41:27 GMT

Hmm, but say that i monitor all events in a 15 minutes interval, i have some stuff from the firewall that shows up in the "src" field. I also log some stuff from one of the linux server, and i want it to be able to show the source of the ssh stuff (or from the apache server) in the same "src" field as the firewall.