- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to change assigned sourcetype for Add-on for U...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change assigned sourcetype for Add-on for Unix and Linux from syslog
We have the Splunk Add-on for Unix and Linux installed on a deployment server, and pushed out to many Linux hosts. Currently, we're having issues with the following stanza in the inputs.conf file:
[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 0
This directory is monitored using universal forwarders, and sent to indexers to be parsed. At some point, the sourcetype "syslog" is given to this log data. Is this common? I thought I'd seen /var/log/message as sourcetype="messages" in the past.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check to see if you have the appropriate tag values for the events with the syslog sourcetype. As long as those are correct, the CIM should be just fine with that data. The CIM doesn't (by default) care about sourcetypes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're correct. And the corresponding App expecting the sourcetype=syslog. Thanks for your help, @micahkemp.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which values do you see for source for the sourcetype syslog? That is indeed a common sourcetype, but I'm not sure all of those files should have that sourcetype in the end. The app's props.conf sets different sourcetypes based on the filename.
I don't see any reference to a messages sourcetype in the TA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the filepath for the log (e.g., /var/log/messages) as the source, but the sourcetype gets tagged as "syslog". You're correct - the TA documentation does not specify messages sourcetype, but I was surprised to see "syslog". Curious if this was expected behavior, and whether it works with the App and CIM.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
