I have installed the unix TA on solaris 10. The unix TA is forwarding authentication failures events recorded in /var/log/authlog to index=os. I cannot locate the sourcetype=authlog in the dot conf files. Does it use the 3rd part of the path as the sourcetype? Where is this defined? Thx.
Hi,
probably one of these areas:
[Splunk_TA_nix]$ grep -rin solaris default | grep -i sourcetype
default/props.conf:421:sourcetype = Solaris:Memory
default/props.conf:457:sourcetype = Solaris:Service
default/props.conf:542:sourcetype = Solaris:Version
But more to the point, the naughty routing into an index is controlled by inputs.conf. Here's how to override that:
$ head etc/apps/Splunk_TA_nix/local/inputs.conf
[monitor:///etc]
disabled = false
index = default
[monitor:///home/.../.bash_history]
disabled = false
index = default