Getting Data In
Highlighted

How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Communicator

Hi Everyone,

We have some unix/aix servers, and we want to configure the servers to send the administrative activity logs to Splunk.

Can anybody help me to understand what kind of logs we require, or anyone have experience to advise on that?

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Legend

Hi rashid47010,

the best solution is to install SplunkTAnix App.

Otherwise you have to take:

  • /var/log/secure
  • /var/log/messages
    inserting in your Forwarders' inputs.cong the following stanzas:

    [monitor:///var/log/secure]
    disabled = 0
    index = os
    sourcetype = linux
    [monitor:///var/log/messages]
    disabled = 0
    index = os
    sourcetype = linux

You have to verify if on AIX there are additional logs that you have to take.

Bye.
Giuseppe

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Communicator

Hi Giuseppe

Thanks for your reply.
My concern is also that what AIX admin should configure on host to sent it to /var/log/messages or /var/log/secure.

in our scenario, all servers are sending logs to one central syslog server.

I believe that in secure logs we are getting authentication logs.

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Legend

Hi rashid47010,
You can install a forwarder on the syslog server and so take logs in Splunk.
You could also use Splunk as syslog concentrator and directly send syslogs to Splunk using UDP or TPC protocols (see network inputs).
Every way the best solution it should be to install a forwarder on each server: In this way you have a more efficient and sure solution.
Efficient because transmission is optimized (bandwidth optimization, compression, ...), sure because forwarder caches logs in case of problems, using syslog you lose logs in case of problems (to not lose logs you should use a Load Balancer and two Splunk Servers as receivers).
So I suggest to you to use syslog only if you cannot use a Forwarder.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Communicator

hi cusello,

unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.

It is very critical to us.Please advice.

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Legend

did you tried to configure your props.con with SHOULD_LINEMERGE=true?
After this you could extract your field using (?ms) option in your REGEX.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Communicator

hi cusello,

unfortunately I faced another problem related to the parsing of AIX audit logs into splunk. In aix servers, the logs are multi line.
for example a new user created the user created command in first line and the user name is in second line. how can we fix this issue.
and in splunk it ony shows the first line.

It is very critical to us.Please advice.

0 Karma
Highlighted

Re: How to configure Unix/AIX servers to forward administrative activity logs to Splunk?

Communicator

HI everyone,

fortunately our AIX admin get the script. that script convert the multi line output into one line and save it into log file

0 Karma