Solved: Re: UNIX last event /var/log/wtmp

rossikwan · ‎11-13-2011

Hi all,

My UNIX (Solaris) host installed Splunk universal forwarder in which some kind of monitor in inputs.conf is successful indexed.

But I would like to retrieve daily login information for the UNIX servers without luck to retrieve the events from last command.

Could anyone here help for the UNIX login info. to br indexed to Splunk?
Thanks

Rossi

mikelanghorst · ‎11-14-2011

By "without luck" are you referring to your attempts to index the wtmp file data?

Splunk for Unix and Linux does have inputs and the necessary script to input this data.

http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux is for splunk servers and
http://splunk-base.splunk.com/apps/33800/splunk-for-unix-and-linux-technology-add-on if you prefer for your Universal Forwarders (if applicable).

View solution in original post

rossikwan · ‎11-20-2011

in UNIX app, there has script to retrieve the last from various OS include IBM AIX, SUN Solaris, Linux different distribution... Thanks.

rossikwan · ‎11-14-2011

Yes, other kind of data are already sent to Splunk instance and could be searched & reporting.

And I tried to use "script input" which using "last" command is not success, due to formatting as below stated.

http://splunk-base.splunk.com/answers/5844/can-i-splunk-my-wtmp-files

"This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up."

[Script Input]
"/usr/bin/last -f /opt/logs/acctlog/wtmpx.20111114"
where wtmpx.$DATE$ is the last date "/var/adm/wtmpx" truncated.

mikelanghorst · ‎11-14-2011

By "without luck" are you referring to your attempts to index the wtmp file data?

Splunk for Unix and Linux does have inputs and the necessary script to input this data.

http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux is for splunk servers and
http://splunk-base.splunk.com/apps/33800/splunk-for-unix-and-linux-technology-add-on if you prefer for your Universal Forwarders (if applicable).

rossikwan · ‎11-14-2011

Let's check how these apps could be help in this items. Get back here after check, thanks

Drainy · ‎11-14-2011

Do you have log data being monitored already? (Is that what you mean by monitor in inputs?) and do you just want to understand how to search the data?

Takajian · ‎11-14-2011

Splunk is able to monitor secure log on unix. Is the following setting meet your requirement?

configure inputs.conf like as bellow:

[monitor://var/log/secure*]
sourcetype = *******

rossikwan · ‎11-14-2011

Those UNIX servers do not have any file named /var/log/secure*

UNIX last event /var/log/wtmp

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation