Hi Team,
Currently we are requested to set up a monitoring stanza to fetch the wtmpx/utmpx are data file from the remote Solaris machines, similarly wtmp and btmp" are the data files that needs to be monitored from remote linux machine.
wtmpx and utmpx - These two files present under /var/adm/ directory.
wtmp and btmp - These two files present under /var/log/ directory.
Problem Detail:
Since these are the binary files when trying to monitor the file from splunk, I am getting the below WARN message in splunk.
01-16-2018 08:06:47.560 -0500 WARN FileClassifierManager - The file '/var/adm/utmpx' is invalid. Reason: binary
01-16-2018 08:06:46.560 -0500 WARN FileClassifierManager - The file '/var/adm/wtmpx' is invalid. Reason: binary
Requirement :
Need to monitor /var/adm/wtmpx - Binary files that need to be monitored via splunk.
thanks in advance.
Hello.
Your easiest path is to install the Splunk_TA_nix app as it comes with scripted inputs for ‘who’ and ‘last’
The scripts are in the bin folder and are called ‘who.sh’ and ‘lastlogin.sh’
Both of these will read the contents of the binary files and output them in a readable format.
If you use the mechanism from the TA the events will be extracted automatically for you, or you can use the scripts as a starting point for writing your own scripted input.
Hey I have downloaded the Splunk_TA_nix add on from the splunk base and I have copy/pasted the who.sh and lastlogin.sh in to bin folder of my own app called test-ta-nix and also copy pasted the scripted inputs details in the inputs.conf in the same app.
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = nix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = nix
disabled = 0
[monitor:///var/adm]
whitelist=(\.log|log$|wtmpx|utmpx|message)
index=nix
disable=0
[monitor:///var/log]
whitelist=(\.log|log$|secure|message|auth|wtmp|btmp|cron$|\.out)
blacklist=(lastlog)
index=nix
disable=0
Kindly let me know whether I can use the above stanza to fetch the required binary details in to splunk.
thanks in advance.
I was able to achieve this by editing the lastlog.sh script that came with the splunk app. Find the if statement that pertains to the OS you are using. in the CMD variable add sudo to it. now edit the sudoers rules list to add a rule to allow splunk user to run the command.
hey dchapin, i had an different issue all together and had fixed it after validating that there were two apps with the same input configuration, executing the lastlog.sh script.
Example : one app with ( Bin and script ) folder and another app was with out bin folder, was taking precedence and as the bin folder was not present there was no data in the indexer and the /splunk inputs status resulted with the script exited with code 1
thanks.
Hi Nickhill, I tried the below inputs.conf stanza in a test machine to pull the binary data from the Solaris machine but it did not fetching any data from that node.
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = nix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = nix
disabled = 0
[monitor:///var/adm/wtmpx]
index = nix
disabled = 0
Kindly guide me on this.
have you tried running the scripts on the command line?
They should provide formatted output if you just execute them with ./xxx.sh
No, I haven't tried executing the script in the remote Solaris node, so you mean to execute the
./who.sh but from which path or a directory we need to execute the script.
from the path that the script is in
okay let me try to execute the ./who.sh on the remote machine under this path
/opt/splunkforwarder/etc/test-ia-unix/bin
./who.sh
it should fetch some out put is that correct!
Hey I dn't have an access to the remote test node, i had just copy pasted who.sh and lastlog.sh from the splunk add-on directly not changed their content. So could please let me know whether the below inputs.conf stanza are right.
# Shows current user sessions
[script://./bin/who.sh]
sourcetype = who
source = who
interval = 150
index = nix
disabled = 0
# Shows last login time for users who have ever logged in
[script://./bin/lastlog.sh]
sourcetype = lastlog
source = lastlog
interval = 300
index = nix
disabled = 0
[monitor:///var/adm/wtmpx]
index = nix
disabled = 0
I am checking with unix admin to test the same. meanwhile could you please let me know whether the above inputs.conf is correct.
hey we are getting permission denied issue while executing the ./who.sh on the remote node.
/opt/splunkforwarder
bash-3.2$ cd etc/apps/test-ta-nix/bin
bash: cd: etc/apps/test-ta-nix/bin: Permission denied
I could see this error in splunkd.log
01-17-2018 11:55:19.134 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/test-ta-nix/bin/who.sh" /bin/sh: /opt/splunkforwarder/etc/apps/test-ta-nix/bin/who.sh: cannot execute
you need to make sure that the user running splunk forwarder has permission to all the files in the /opt/splunkforwarder folder.
In addition - that user also needs permission (root) to invoke last (any user can normally run who)
When testing the scripts at the command line, you will need to ensure the user has similar access, otherwise you will see the errors in your post.
Suggest you talk to your unix admins to confirm what permissions the processes have/need
@hemnaath
Did the answer and the comments help you figure out the answer? If it did, please click accept on the answer.
Thanks
Hi asiddique, it did not fetch the data from the wtmpx file though I had given the complete permission to execute the commands.
Permission Details:
-rwxrwxr-x 1 splunk splunk 2789 Jan 25 06:52 who.sh
-rwxrwxr-x 1 splunk splunk 2835 Jan 25 06:52 lastlog.sh
-rwxrwxr-x 1 splunk splunk 3091 Jan 25 06:52 common.sh
But still unable to read the binary file from /var/adm/wtmpx , so kindly guide me to enable log monitoring.
thanks in advance.
that is correct
(if the scripts work)
Hi All, Can any one guide me on the scripted inputs to pull the who and last data in to splunk.
thanks in advance.