Hi All, Currently I am facing an issue in getting the complete BSM logs data in to splunk. We have two remote host test01 and test02, test01 is running with older operating system (Solaris 9), so it's an old BSM version. Whereas test02 is running with Solaris 10.
On investigation we have identified that in test01 the actual log data does not have time stamp in it, so when we search with the below query, it gets very less events information.
index=unix host=test01 sourcetype="unix:host:bsm"
Example: when we run the query with the time frame set for 4 hours, we could see hardly 22 events with interval of 1 hour time difference between the each events in splunk.
11/14/17
8:30:01.000 AM
event="logout" audit-uid=mqm uid=mqm tid="13416 22 host05.xxx.com" sid="1266159348"
event="su" audit-uid=root uid=root text="success for user mercator" tid="9195 131094 test02.xxx.com" sid="596162876"
event="su" audit-uid=root uid=root text="success for user mercator" tid="9195 131094 test02.xxx.com" sid="596162876"
event="su" audit-uid=root uid=root text="success for user mercator" tid="9195 131094 test02.xxx.com" sid="596162876"
xsl_error="no_XSL_match" event="ftp access"
Show all 38 lines
eventtype = err0r error eventtype = nix-all-logs eventtype = nix_errors error host = test01 source = /var/bsm/20171114.bsm.log sourcetype = unix:host:bsm
11/14/17
7:30:03.000 AM
event="logout" audit-uid=solarwinds uid=solarwinds tid="12506 196630 host05.xxx.com" sid="1117761561"
event="login - ssh" audit-uid=solarwinds uid=solarwinds tid="12517 131094 host05.xxx.com" sid="2100926268" retval="0"
event="logout" audit-uid=solarwinds uid=solarwinds tid="12506 131094 host05.xxx.com" sid="1833882761"
eventtype = nix-all-logs host = test01 source = /var/bsm/20171114.bsm.log sourcetype = unix:host:bsm
11/14/17
6:30:01.000 AM
event="logout" audit-uid=mercator uid=mercator tid="10626 131094 host01.xxx.com" sid="1196470503"
xsl_error="no_XSL_match" event="ftp access"
xsl_error="no_XSL_match" event="ftp logout"
event="logout" audit-uid=mercator uid=mercator tid="10626 196630 host01.xxx.com" sid="2088481153"
xsl_error="no_XSL_match" event="ftp access"
Show all 28 lines
eventtype = err0r error eventtype = nix-all-logs eventtype = nix_errors error host = test01 source = /var/bsm/20171114.bsm.log sourcetype = unix:host:bsm
Actual Logs Format : /var/bsm/20171114.bsm.log with out time stamp.
event="ftp logout" xsl_error="no_XSL_match" event="ftp access" event="su" audit-uid=root uid=root text="success for user mqm" tid="9195 131094 test02.xxx.com" sid="59616287 xsl_error="no_XSL_match" event="ftp logout" xsl_error="no_XSL_match" event="ftp access" xsl_error="no_XSL_match" event="ftp access"xsl_error="no_XSL_match"event="ftp logout" event="login - ssh" audit-uid=007 uid=007 tid="15615 22 test02.xxx.com" sid="4094245480" retval="0" event="logout" audit-uid=007 uid=007 tid="15615 22 test02.xxx.com" sid="4094245480" xsl_error="no_XSL_match" event="rsh access" xsl_error="no_XSL_match"
In this case how to configure props.conf to assign the time stamp when splunk reads the data from the source "/var/bsm/20171114.bsm.log"
Kindly guide me on this.
thanks in advance.