Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configure Splunk to get the aide log file

ck26676
New Member
‎10-26-2023 08:59 AM

I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder  to get it to read the aide.log file.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2023 09:40 AM

Any inputs.conf file other than /opt/splunkforwarder/etc/system/default/inputs.conf.

Best practice is to create your own app (/opt/splunkforwarder/etc/apps/org_aide_inputs, for example) and put the inputs.conf file there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ck26676
New Member
‎10-30-2023 07:54 AM

Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file.

[aide]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s
BREAK_ONLY_BEFORE = ((File:|Directory:))
CHARSET = UTF-8
EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+)
EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2023 06:15 PM

Those settings belong in props.conf on the indexers and heavy forwarders.

BTW, the TIME_PREFIX setting should describe what comes *before* the timestamp and not the timestamp itself.

The inputs.conf file should look a little like this:

[monitor:///path/to/file]
index = foo
sourcetype = mysourcetype
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎11-01-2023 02:43 PM

Just to add to this, for the path in the stanza - make sure you use the correct slashes depending which operating system it is (forward slash for Linux and back slash for Windows).

 

[monitor://<path>]
* Configures a file monitor input to watch all files in the <path> you specify.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitorfilesanddirectorieswithinputs.conf

Windows inputs stanza example:

[monitor://C:\Windows\System32\WindowsUpdate.log]
index = test
sourcetype = my_sourcetype

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...