All Apps and Add-ons

Is there a script that grabs the output of the "last" command similar to other .sh script in Splunk-TA-nix ?

Motivator

Hi All, Currently we wanted to monitor a file on a remote UNIX machine and for which we are looking out for a script that can fetch the " last command" data from the Unix Operating system and ingest the same in splunk, as other scripts like who.sh, lastlogin.sh top.sh etc available in Splunk-TA-nix add-on.

So kindly guide me on this.

0 Karma

Ultra Champion

With reference to your other post https://answers.splunk.com/answers/610697/how-do-i-collect-the-results-of-wholast-on-unix-ma.html

If you have installed the splunkforwarder on the target, its not really a remote machine, as you are collecting files locally using the UF.
Your simplest course of action is to install the Splunk provided unix TA and configure the inputs accordingly.

All the TA is doing in this case, is calling (and formatting) the stdout results from those commands, and comes shipped with appropriate inputs, props and transforms to get that data into splunk in an indexed and normalised format.

lastlog.sh is invoking "last" in exactly this way

0 Karma

Motivator

Hi Nickhill, Yes you are right but its not reading the wtmpx file (binary file) from this location /var/adm/wtmpx. and I hope this is not built in the lastlog.sh script. So we decided to write a script that can read this binary file and write it to a normal txt file but at the same time it script should be in such away that it is not re-indexing the same file again and again. So could please guide me on this request to create a script which can read and write a binary file into a normal txt file.

thanks in advance.

0 Karma