Solved: Why is the Splunk Add-on for Unix and Linux not pr...

shbagautdinov · ‎07-19-2016

Hello, Splunkers!

I use splunk_TA_nix and this search does not give results. lastlog.sh permissions 754.
Who.sh does not show any data too.
Splunkd is running by root account on CentOS 7.
Is it true that this search must show info about last login of all accounts in each event?

shbagautdinov · ‎08-11-2016

Ok, thanks to all, I have the answer 😃
Yes, when Splunk_TA_nix is properly installed it shows info about lastlogin in each event.
I have done 2 steps to resolve my issue:
1) I have set 755 permissions to all .sh scripts in Splunk_TA_nix
2) And the most important thing I have installed and enabled Splunk_TA_nix on my Windows Search head (In inputs.conf all stanzas must be disabled. It is by default. Do not change this default setting).

View solution in original post

shbagautdinov · ‎08-11-2016

Ok, thanks to all, I have the answer 😃
Yes, when Splunk_TA_nix is properly installed it shows info about lastlogin in each event.
I have done 2 steps to resolve my issue:
1) I have set 755 permissions to all .sh scripts in Splunk_TA_nix
2) And the most important thing I have installed and enabled Splunk_TA_nix on my Windows Search head (In inputs.conf all stanzas must be disabled. It is by default. Do not change this default setting).

Why is the Splunk Add-on for Unix and Linux not producing data in lastlog events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation