Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configure Splunk to get the aide log file

ck26676
New Member
‎10-26-2023 08:59 AM

I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder  to get it to read the aide.log file.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2023 09:40 AM

Any inputs.conf file other than /opt/splunkforwarder/etc/system/default/inputs.conf.

Best practice is to create your own app (/opt/splunkforwarder/etc/apps/org_aide_inputs, for example) and put the inputs.conf file there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ck26676
New Member
‎10-30-2023 07:54 AM

Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file.

[aide]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s
BREAK_ONLY_BEFORE = ((File:|Directory:))
CHARSET = UTF-8
EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}))
EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+)
EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2023 06:15 PM

Those settings belong in props.conf on the indexers and heavy forwarders.

BTW, the TIME_PREFIX setting should describe what comes *before* the timestamp and not the timestamp itself.

The inputs.conf file should look a little like this:

[monitor:///path/to/file]
index = foo
sourcetype = mysourcetype
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎11-01-2023 02:43 PM

Just to add to this, for the path in the stanza - make sure you use the correct slashes depending which operating system it is (forward slash for Linux and back slash for Windows).

 

[monitor://<path>]
* Configures a file monitor input to watch all files in the <path> you specify.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitorfilesanddirectorieswithinputs.conf

Windows inputs stanza example:

[monitor://C:\Windows\System32\WindowsUpdate.log]
index = test
sourcetype = my_sourcetype

 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Top