Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to monitor path in RHEL 8 but not RHEL 7?

token2
Path Finder
‎04-19-2022 10:44 AM

Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granular enough to select between RHEL 7 and RHEL 8 boxes. 

 

In RHEL 8 I want to monitor the path /var/log/audit but NOT in RHEL 7.  Is there an inputs.conf stanza to try and accomplish directory monitoring by OS version?  Or how else would one go about this?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2022 11:40 PM

Hi @token2,

for my knowledge there isn't the choice of different os versions, you should check if you could use two different stanzas (one for RHEL 7 and one RHEL 😎 without having false positives.

Otherwise, you could create two versions of the TA_nix customized for each version of RHEL to distributo to the correct os version.

In addition, you could open a Case to Splunk Support because this app is Splunk Supported.

Ciao.

Giuseppe

0 Karma
Reply

token2
Path Finder
‎04-20-2022 08:42 AM

Hello @gcusello ,

Do you have an example of stanzas that can segregate by OS version then specify directory to be monitored?

Is there a GUI option or stanzas for the deployment server to identify RHEL 7 and RHEL 8 vs. just listing as Linux_(arch)?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2022 11:23 PM

Hi @token2,

no for my knoledge there isn't an automatic way to distinguish RHEL7 from RHEL8, you have to know this from your data and create two different ServerClasses for the servers having one version of RHEL.

About a sample for RHEL7, I'm not an expert of Linux, but I suppose that you could try /var/log.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-21-2022 06:33 AM

Hi

Probably the easiest way is create own server classes for RH7 and RH8. Then also you need three apps. One for base TA-unix without configured inputs (or common inputs for both version). Then create own apps for RH7 and RH8 where you have defined needed inputs per version. Then just combine those on DS configuration.

Just like @gcusello there haven't been any option to separate those OS versions on inputs/DS configuration without this kind of method.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...