Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to monitor path in RHEL 8 but not RHEL 7?

token2
Path Finder
‎04-19-2022 10:44 AM

Hello I am using the Spunk_TA_nix and a server class to push that out to all nix boxes, but server class is not granular enough to select between RHEL 7 and RHEL 8 boxes. 

 

In RHEL 8 I want to monitor the path /var/log/audit but NOT in RHEL 7.  Is there an inputs.conf stanza to try and accomplish directory monitoring by OS version?  Or how else would one go about this?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-19-2022 11:40 PM

Hi @token2,

for my knowledge there isn't the choice of different os versions, you should check if you could use two different stanzas (one for RHEL 7 and one RHEL 😎 without having false positives.

Otherwise, you could create two versions of the TA_nix customized for each version of RHEL to distributo to the correct os version.

In addition, you could open a Case to Splunk Support because this app is Splunk Supported.

Ciao.

Giuseppe

0 Karma
Reply

token2
Path Finder
‎04-20-2022 08:42 AM

Hello @gcusello ,

Do you have an example of stanzas that can segregate by OS version then specify directory to be monitored?

Is there a GUI option or stanzas for the deployment server to identify RHEL 7 and RHEL 8 vs. just listing as Linux_(arch)?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-20-2022 11:23 PM

Hi @token2,

no for my knoledge there isn't an automatic way to distinguish RHEL7 from RHEL8, you have to know this from your data and create two different ServerClasses for the servers having one version of RHEL.

About a sample for RHEL7, I'm not an expert of Linux, but I suppose that you could try /var/log.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-21-2022 06:33 AM

Hi

Probably the easiest way is create own server classes for RH7 and RH8. Then also you need three apps. One for base TA-unix without configured inputs (or common inputs for both version). Then create own apps for RH7 and RH8 where you have defined needed inputs per version. Then just combine those on DS configuration.

Just like @gcusello there haven't been any option to separate those OS versions on inputs/DS configuration without this kind of method.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...