Re: How to configure Unix/AIX servers to forward a...

rashid47010 · ‎01-04-2017

Hi Everyone,

We have some unix/aix servers, and we want to configure the servers to send the administrative activity logs to Splunk.

Can anybody help me to understand what kind of logs we require, or anyone have experience to advise on that?

rashid47010 · ‎01-17-2017

HI everyone,

fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file

rashid47010 · ‎01-10-2017

hi cusello,

unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.

It is very critical to us.Please advice.

gcusello · ‎01-04-2017

Hi rashid47010,

the best solution is to install Splunk_TA_nix App.

Otherwise you have to take:

/var/log/secure
/var/log/messages
inserting in your Forwarders' inputs.cong the following stanzas:

[monitor:///var/log/secure]
disabled = 0
index = os
sourcetype = linux
[monitor:///var/log/messages]
disabled = 0
index = os
sourcetype = linux

You have to verify if on AIX there are additional logs that you have to take.

Bye.
Giuseppe

gcusello · ‎01-04-2017

Hi rashid47010,
You can install a forwarder on the syslog server and so take logs in Splunk.
You could also use Splunk as syslog concentrator and directly send syslogs to Splunk using UDP or TPC protocols (see network inputs).
Every way the best solution it should be to install a forwarder on each server: In this way you have a more efficient and sure solution.
Efficient because transmission is optimized (bandwidth optimization, compression, ...), sure because forwarder caches logs in case of problems, using syslog you lose logs in case of problems (to not lose logs you should use a Load Balancer and two Splunk Servers as receivers).
So I suggest to you to use syslog only if you cannot use a Forwarder.
Bye.
Giuseppe

rashid47010 · ‎01-12-2017

hi cusello,

unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.

It is very critical to us.Please advice.

gcusello · ‎01-12-2017

did you tried to configure your props.con with SHOULD_LINEMERGE=true?
After this you could extract your field using (?ms) option in your REGEX.
Bye.
Giuseppe

rashid47010 · ‎01-04-2017

Hi Giuseppe

Thanks for your reply.
My concern is also that what AIX admin should configure on host to sent it to /var/log/messages or /var/log/secure.

in our scenario, all servers are sending logs to one central syslog server.

I believe that in secure logs we are getting authentication logs.

How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk