All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Linux Secure Technology Add-On: auth.log not parsed

test_qweqwe
Builder
‎05-08-2018 04:48 AM

Hello.
I'm using Ubuntu 16.04 LTS and collected /var/log/auth.log
Also, on Centos7 with /var/log/secure it's works property.

[monitor:///var/log/auth.log]
disabled = 0

And I have this
alt text
sourcetype shows as syslog not as secure_linux
TA_nix was removed before I installed Linux Secure Technology Add-On.

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

doksu
Contributor
‎05-08-2018 02:36 PM

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

View solution in original post

Reply
Solved! Jump to solution
Solution

doksu
Contributor
‎05-08-2018 02:36 PM

Always specify the source type in your inputs.conf monitor stanza. In this case, sourcetype=linux_secure

P.S. a new version of the app is currently under certification review which will provide greater support for Debian-based distributions and should be released in the coming days.

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎05-08-2018 11:37 PM

Later I did it, but it's not helped me.
But, on onother machine with Ubuntu 16.04 it's works good.

0 Karma
Reply
Solved! Jump to solution

kmarciniak
Path Finder
‎02-01-2019 02:50 PM

When they say remove Splunk_TA_Nix from the SH before installing, does that requirement also mean remove the Splunk_TA_nix from all indexers, HF's and d/s? Also can disabling the app be sufficient or does the app directory need to be totally removed? I want to just test this out first before removing TA_nix entirely

0 Karma
Reply
Solved! Jump to solution

doksu
Contributor
‎02-03-2019 05:26 PM

Only removal from the search head is strictly necessary. You could disable the Splunk_TA_nix app instead, but I recommend removal.

0 Karma
Reply
Solved! Jump to solution

kmarciniak
Path Finder
‎02-06-2019 01:50 PM

I assume you still need the Splunk_TA_nix on your HF running syslog-ng, indexers for UF's running on linux hosts as these have the props and transforms for these linux logs and the Splunk app for unix and linux is for the SH for visuals. So for the linux secure the requirements are "Splunk app for unix and linux" and "linux_secure" on the SH's and Splunk_TA_nix on Indexers and HF's and I guess UF's too. Is this true?

0 Karma
Reply
Solved! Jump to solution

doksu
Contributor
‎02-06-2019 03:23 PM

No, I don't recommend Splunk_TA_nix be used at all anywhere in your Splunk environment. Simply configure the inputs.conf monitor stanza for /var/log/auth.log on your universal forwarder with sourcetype=linux_secure, then install the TA-linux_secure app in your search environment and you're done.

There's nothing to be visualised for /var/log/auth.log. If you're looking for Linux performance monitoring, I suggest: https://splunkbase.splunk.com/app/3412/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...