Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we index complete BSM log data?

Hemnaath
Motivator
‎11-14-2017 03:04 AM

Hi All, Currently we are facing an issue in getting the complete BSM logs data in to splunk.

We have two remote host test01 and test02, test01 is running with older operating system (Solaris 9), so it's an old BSM version. Whereas test02 is running with Solaris 10.

Problem Detail: When user is trying to fetch an login information for a particular user id in splunk console, by executing the simple query "index=unix host=test01 sourcetype="unix:host:bsm" 007". Getting no result found.

But we could see the user id information present in the actual BSM.logs from the remote node test01.

At the same time, when same search query is executed with the host=test02, we could get the particular user id 007 information in splunk console.

index=unix host="test02" sourcetype="unix:host:bsm" 007

11/13/17
11:59:09.635 AM
2017-11-13 11:59:09.635 -05:00 zone=global event="logout" audit-uid=007 uid=007 tid="11911 196630 10.151.225.181" sid="4137709539"
eventtype = nix-all-logs host = test02 source = /var/bsm/20171113.bsm.log sourcetype = unix:host:bsm

When investigated the issue I could notice that both log "/var/bsm/20171113.bsm.log" data are in different format.

In test01 under /var/bsm/20171113.bsm.log
event="login - ssh" audit-uid=007 uid=007 tid="15615 22 test01.xxx.com" sid="4094245480" retval="0"
event="logout" audit-uid=007 uid=007 tid="15615 22 test01.xxx.com" sid="4094245480"
xsl_error="no_XSL_match" event="rsh access"
xsl_error="no_XSL_match" event="rsh access"

In test02 under /var/bsm/20171113.bsm.log

2017-11-13 08:14:49.826 -05:00 zone=global event="execve(2)" uid=root ruid=007 path=/usr/sbin/usr/lib/fs/ufs/quota retval=0 args="/usr/sbin/quota" tid="6323 196630 host.xxx.com" pid=622 sid="1060063057"
2017-11-13 08:14:49.851 -05:00 zone=global event="execve(2)" uid=007 ruid=007 path=/usr/bin/cat retval=0 args="/bin/cat -s /etc/motd" tid="6323 196630 host.xxx.com" pid=623 sid="1060063057"

User has raised a concern why the UID=007 is not being captured in the splunk from the node test01 and he wants this information to be captured in test01 server as well.

So kindly let me know how to fix this issue.

thanks in advance.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...