Deployment Architecture

Process HP-UX Audit logs

New Member

Hi,

We are trying to get HP-UX audit logs processed by Splunk.

We get the logs in binary format, and run then through 'audisp' on a hp-ux device, which give us nice ASCII text.

Then we use syslog-ng (this guide: http://www.splunk.com/wiki/Community:GatherHPUXAudits) to get them into Splunk.

Problem is that they are displayed as just one line log entries, no processing has been done.

I think I need to edit the props.conf file to add some regex to split the fields out, but need some help1

I have some sample logs I can provide, if needed?

Any help would be much appreciated!
Mike

Tags (4)
0 Karma

Legend

Actually, it should be easier than that! Splunk already knows about syslog format - a sourcetype for syslog is already included in Splunk. The definition for this sourcetype includes all the field extractions.

The syslog-ng output should be in a syslog format. So what you really need to do is to tell Splunk that this input is sourcetype=syslog. If you set up the input using the Splunk Manager, you should be able to update it in the same way. You may need to restart Splunk for the changes to take effect. (You can also just add the line sourcetype=syslog to the appropriate stanza of inputs.conf, if you want to do this manually. You will also need to restart Splunk.)

Now the bad news - changing the input sourcetype to syslog will only affect new data. If you can, remove any of the existing data from Splunk and re-index it. That's really the best way to fix the data. If you can't do that, then you may have to setup the field extractions; editing props.conf is one way to do that. Here are the instructions for setting up field extractions in the manuals. (Just to be clear: you definitely want search-time field extractions - and definitely do not want index-time field extractions.)

0 Karma