Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to monitor path in RHEL 8 but not RHEL 7?

token2
Path Finder
‎04-19-2022 10:44 AM

Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granular enough to select between RHEL 7 and RHEL 8 boxes. 

 

In RHEL 8 I want to monitor the path /var/log/audit but NOT in RHEL 7.  Is there an inputs.conf stanza to try and accomplish directory monitoring by OS version?  Or how else would one go about this?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2022 11:40 PM

Hi @token2,

for my knowledge there isn't the choice of different os versions, you should check if you could use two different stanzas (one for RHEL 7 and one RHEL 😎 without having false positives.

Otherwise, you could create two versions of the TA_nix customized for each version of RHEL to distributo to the correct os version.

In addition, you could open a Case to Splunk Support because this app is Splunk Supported.

Ciao.

Giuseppe

0 Karma
Reply

token2
Path Finder
‎04-20-2022 08:42 AM

Hello @gcusello ,

Do you have an example of stanzas that can segregate by OS version then specify directory to be monitored?

Is there a GUI option or stanzas for the deployment server to identify RHEL 7 and RHEL 8 vs. just listing as Linux_(arch)?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2022 11:23 PM

Hi @token2,

no for my knoledge there isn't an automatic way to distinguish RHEL7 from RHEL8, you have to know this from your data and create two different ServerClasses for the servers having one version of RHEL.

About a sample for RHEL7, I'm not an expert of Linux, but I suppose that you could try /var/log.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-21-2022 06:33 AM

Hi

Probably the easiest way is create own server classes for RH7 and RH8. Then also you need three apps. One for base TA-unix without configured inputs (or common inputs for both version). Then create own apps for RH7 and RH8 where you have defined needed inputs per version. Then just combine those on DS configuration.

Just like @gcusello there haven't been any option to separate those OS versions on inputs/DS configuration without this kind of method.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...