How to fix UNIX log parsing issue?

pm2012 · ‎08-06-2023

Hi Team,

I could see logs coming from UNIX devices in the below format

<38>Aug 1 13:20:29 dns.customer.net 10.32.9.5 sshd[14171]: Failed password for michal from 10.32.7.28 port 58255 ssh2

When i look into the selected events on the left panel these logs are not getting parse, like username, source ip , port, protocol. Any suggestion please. Logs are coming through rsyslog mechanism using TCP input from the device

isoutamo · ‎08-06-2023

Hi

Can you describe your environment? Single node, distributed environment, OS, have you UF for collection or HF? Is there any HF before your indexers / SH(s)? Where you have installed this TA?

r. Ismo

jotne · ‎08-06-2023

You are using Smart Mode or Verbose Mode, not Fast Mode

pm2012 · ‎08-06-2023

Smartmode

jotne · ‎08-06-2023

You have the Splunk Add-on for Unix and Linux installed?

pm2012 · ‎08-06-2023

Yeah it is installed

Simple_Search · ‎08-07-2023

Based on the tagging of SYSLOG based on the front tag, I would assume that this is being ingested into a syslog server and then sent to an Indexer or Heavy Forwarder. If this is the case, the Splunk Add-on is not going to help you in this situation if this is the case. I usually ingest the data from SYSLOG and then use regex to extract the field names when I am conducting searches.

If this is being monitored on the server that is using a Universal Forwarder, then ensure that you are monitoring the /var/log locations with the splunkbase app on the forwarder and on the indexer.

How to fix UNIX log parsing issue?

syslog

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases