- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure Unix/AIX servers to forward administrative activity logs to Splunk?
Hi Everyone,
We have some unix/aix servers, and we want to configure the servers to send the administrative activity logs to Splunk.
Can anybody help me to understand what kind of logs we require, or anyone have experience to advise on that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI everyone,
fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi cusello,
unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.
It is very critical to us.Please advice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rashid47010,
the best solution is to install Splunk_TA_nix App.
Otherwise you have to take:
- /var/log/secure
/var/log/messages
inserting in your Forwarders' inputs.cong the following stanzas:[monitor:///var/log/secure]
disabled = 0
index = os
sourcetype = linux
[monitor:///var/log/messages]
disabled = 0
index = os
sourcetype = linux
You have to verify if on AIX there are additional logs that you have to take.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rashid47010,
You can install a forwarder on the syslog server and so take logs in Splunk.
You could also use Splunk as syslog concentrator and directly send syslogs to Splunk using UDP or TPC protocols (see network inputs).
Every way the best solution it should be to install a forwarder on each server: In this way you have a more efficient and sure solution.
Efficient because transmission is optimized (bandwidth optimization, compression, ...), sure because forwarder caches logs in case of problems, using syslog you lose logs in case of problems (to not lose logs you should use a Load Balancer and two Splunk Servers as receivers).
So I suggest to you to use syslog only if you cannot use a Forwarder.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi cusello,
unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.
It is very critical to us.Please advice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you tried to configure your props.con with SHOULD_LINEMERGE=true?
After this you could extract your field using (?ms) option in your REGEX.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe
Thanks for your reply.
My concern is also that what AIX admin should configure on host to sent it to /var/log/messages or /var/log/secure.
in our scenario, all servers are sending logs to one central syslog server.
I believe that in secure logs we are getting authentication logs.
