We are going to use syslog-ng and a heavy forwarder for the SecretServer. Could it be that we only need to change the props.conf in the SecretServer app to [SecrectServer] rather than the default [syslog] stanza?
The app is designed to have the SecretServer sent directly to an Indexer. However, we are first sending it to a syslog-ng and then then via Heavy Forwarder to the index cluster. Therefore, all the panels are setup to use "source=secretserver".
But, when the syslog server sends the data, the source is the LOG file. So, should we install this app on the indexers, forwarders, and search heads; or just the search heads? Then, the source will change, as the log files rotate. So, we can use sourcetype to power all the panels. Should we then update the props.conf file with the sourcetype stanza, SecretServer?
Thank you. However, there are no pre-built panels on the Secret server app.
The application is working now. I modified the props.conf with the sourcetype and then modified all the xml panels switching source with sourcetype in the search and finally the eventtypes.conf to change to searching by sourcetype.
Thank you. However, there are no pre-built panels on the Secret server app.
The application is working now. I modified the props.conf with the sourcetype and then modified all the xml panels switching source with sourcetype in the search and finally the eventtypes.conf to change to searching by sourcetype.
Is the data already present in Splunk or you trying to get data into Splunk? If the data is already available then you can use the prebuilt dashboards and saved searches present in the app. All you need to do is edit the saved searches accordingly. This app just need to be on the search head.
yes the data is getting into splunk. however, the fields are not really being extracted properly.
@jaxjohnny2000 Did you ever get the additional fields to extract properly?
Running into the same issues, edited props.conf to look at proper Eventtype but some of the fields are still not extracting properly. For example, Action, By_User and plenty of others. The regex appears to be correct and when tested with rubular as well as the splunk custom field extractor we get the expected results, but they do not carry over into search...
So are you receiving data at all? If so, check the sourcetype. I had to remove the syslog stanza completely.
I have a Syslog-ng listening and then sending to the index cluster sourcetype=secretserver
Then I checked the case of the stanza (does that matter?)
[secretserver]
EXTRACT-EventID = (?i)^(?:[^|]*|){4}(?P[^|]+)
EXTRACT-action = (Action: (?P[[^:]]+]) )
EXTRACT-body = ^([^|]+|){7}(?P[^|]+)
EXTRACT-by_user = (By User: (?P(^:=)+) )
EXTRACT-container_name = (Container Name: (?P[^:=]+(?!suid=)) )
EXTRACT-details = (Details: (?P[^:]+) (suid=))
EXTRACT-event = (Event: (?P[^:]+) )
EXTRACT-file_id = (fileId=(?P[^=]+) )
EXTRACT-file_name = (fname=(?P[^=]+) )
EXTRACT-file_type = (fileType=(?P[^=]+) )
EXTRACT-full_suser = (?i) suser=(?P.+?)\s\S+=
EXTRACT-item_name = (Item Name: (?P[^:=]+(?!suid=)) )
EXTRACT-log_level = ^([^|]+|){6}(?P[^|]+)
EXTRACT-message_name = ^([^|]+|){5}(?P[^|]+)
EXTRACT-preamble = ^(?P[^|]+)|
EXTRACT-product = ^([^|]+|){2}(?P[^|]+)
EXTRACT-receipt_time = (rt=(?P[^=]+) )
EXTRACT-tss_cs1 = (cs1=(?P[^=]+) )
EXTRACT-tss_cs1Label = (cs1Label=(?P[^=]+) )
EXTRACT-tss_cs2 = (cs2=(?P[^=]+) )
EXTRACT-tss_cs2Label = (cs2Label=(?P[^=]+) )
EXTRACT-tss_cs3 = (cs3=(?P[^=]+) )
EXTRACT-tss_cs3Label = (cs3Label=(?P[^=]+) )
EXTRACT-tss_cs4 = (cs4=(?P[^=]+) )
EXTRACT-tss_cs4Label = (cs4Label=(?P[^=]+) )
EXTRACT-tss_msg = (msg=(?P[^=]+) )
EXTRACT-tss_signature_id = ^([^|]+|){4}(?P[^|]+)
EXTRACT-tss_src = (src=(?P[^=]+) )
EXTRACT-tss_suid = (suid=(?P[^=]+) )
EXTRACT-tss_suser = (suser=(?P[^=]+) )
EXTRACT-vendor = ^([^|]+|){1}(?P[^|]+)
EXTRACT-version = ^([^|]+|){3}(?P[^|]+)
FIELDALIAS-aob_gen_syslog_alias_1 = EventID AS signature_id
FIELDALIAS-aob_gen_syslog_alias_10 = action AS change_type
FIELDALIAS-aob_gen_syslog_alias_11 = tss_cs1 AS cs1
FIELDALIAS-aob_gen_syslog_alias_12 = tss_cs2 AS cs2
FIELDALIAS-aob_gen_syslog_alias_13 = tss_cs3 AS cs3
FIELDALIAS-aob_gen_syslog_alias_14 = tss_cs4 AS cs4
FIELDALIAS-aob_gen_syslog_alias_15 = tss_cs4Label AS cs4Label
FIELDALIAS-aob_gen_syslog_alias_16 = tss_cs3Label AS cs3Label
FIELDALIAS-aob_gen_syslog_alias_17 = tss_cs2Label AS cs2Label
FIELDALIAS-aob_gen_syslog_alias_18 = tss_cs1Label AS cs1Label
FIELDALIAS-aob_gen_syslog_alias_19 = tss_msg AS msg
FIELDALIAS-aob_gen_syslog_alias_2 = product AS vendor_product
FIELDALIAS-aob_gen_syslog_alias_20 = tss_signature_id AS signature_id
FIELDALIAS-aob_gen_syslog_alias_3 = product AS app
FIELDALIAS-aob_gen_syslog_alias_4 = log_level AS severity
FIELDALIAS-aob_gen_syslog_alias_5 = suser AS src_user
FIELDALIAS-aob_gen_syslog_alias_6 = suser AS user
FIELDALIAS-aob_gen_syslog_alias_7 = duser AS object
FIELDALIAS-aob_gen_syslog_alias_8 = duid AS object_id
FIELDALIAS-aob_gen_syslog_alias_9 = container_name AS dest
SHOULD_LINEMERGE = 0
pulldown_type = 1
hi @jaxjohnny2000,
Thanks for posting on Splunk answers. Could you give us some more context on your problem? The more detail your post contains, the better chance it has being answered by the community.
@jaxjohnny2000,
Thanks for providing more info. I moved your comment up to the main post so that it's more visible.
Good luck with your query!
The app is designed to have the Secret server sent directly to an Indexer. However, we are first sending it to a syslog-ng and then then via Heavy Forwarder to the index cluster. Therefore all the panels are setup to use "source=secretserver". But when the syslog server sends the data, the source is the LOG file. So, should we install this app on the indexers, forwarders, and search heads; or just the search heads. Then, the source will change, as the log files rotate. So we can use sourcetype to power all the panels. Should we then update the props.conf file with the sourcetype stanza, secretserver?