All Apps and Add-ons

Linux Secure Technology Add-On: auth.log not parsed

Builder

Hello.
I'm using Ubuntu 16.04 LTS and collected /var/log/auth.log
Also, on Centos7 with /var/log/secure it's works property.

[monitor:///var/log/auth.log]
disabled = 0

And I have this
alt text
sourcetype shows as syslog not as secure_linux
TA_nix was removed before I installed Linux Secure Technology Add-On.

1 Solution

SplunkTrust
SplunkTrust

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

View solution in original post

SplunkTrust
SplunkTrust

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

View solution in original post

Builder

Later I did it, but it's not helped me.
But, on onother machine with Ubuntu 16.04 it's works good.

0 Karma

Path Finder

When they say remove Splunk_TA_Nix from the SH before installing, does that requirement also mean remove the Splunk_TA_nix from all indexers, HF's and d/s? Also can disabling the app be sufficient or does the app directory need to be totally removed? I want to just test this out first before removing TA_nix entirely

0 Karma

SplunkTrust
SplunkTrust

Only removal from the search head is strictly necessary. You could disable the Splunk_TA_nix app instead, but I recommend removal.

0 Karma

Path Finder

I assume you still need the Splunk_TA_nix on your HF running syslog-ng, indexers for UF's running on linux hosts as these have the props and transforms for these linux logs and the Splunk app for unix and linux is for the SH for visuals. So for the linux secure the requirements are "Splunk app for unix and linux" and "linux_secure" on the SH's and Splunk_TA_nix on Indexers and HF's and I guess UF's too. Is this true?

0 Karma

SplunkTrust
SplunkTrust

No, I don't recommend Splunk_TA_nix be used at all anywhere in your Splunk environment. Simply configure the inputs.conf monitor stanza for /var/log/auth.log on your universal forwarder with sourcetype=linux_secure, then install the TA-linux_secure app in your search environment and you're done.

There's nothing to be visualised for /var/log/auth.log. If you're looking for Linux performance monitoring, I suggest: https://splunkbase.splunk.com/app/3412/

0 Karma