Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Linux_audit wont transfrom node field into host

ZimmermanC1
Explorer
‎09-18-2017 09:10 PM

Hello all,

I collect all of my *nix logs into a central server that I has a UF installed on it.
I have the splunk_ta_nix installed on my single instance indexer/sh as well as installed at the UF.

inputs.conf on the UF only has the [monitor:///var/log] stanza enabled

Everything from the centralized location for /var/log/messages is getting the sourcetype of "syslog" and the host field is populating properly based off of the contents of the event rather then with the hostname of the central log server.

Everything from /var/log/secure is getting the sourcetype of linux_secure but every event is populated with the hostname of the central log server in the host field regardless of contents of the event.

I added the following to Splunk_TA_nix/local/transforms.conf

[linux_secure_host]
REGEX = ^\w+\s\d{2}\s\d{2}:\d{2}:\d{2}\s(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

And this to Splunk_TA_nix/local/props.conf

[linux_secure]
TRANSFORMS-linux_secure_host = linux_secure_host

And everything from the centralized /var/log/secure now has the correct host field value. Hoo-ray!

Lastly, I attempted to tackle all of the auditd logs that live in /var/log/audit/audit.log
These events get the sourcetype of linux_audit and show the same behaviour as the previous example I was able to fix, so I edited transforms.conf like so

[linux_audit_host]
REGEX = \snode=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

and props.conf like this

[linux_audit]
TRANSFORMS-linux_audit_host = linux_audit_host

but i have had no luck populating the correct value into the host field for the events that go into this sourcetype

Here is an example of a log from /var/log/audit/audit.log

node=ipa01.test.linux type=USER_END msg=audit(1505793661.317:6773): pid=13781 uid=0 auid=0 ses=917 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Any help with this issue would be amazing.

0 Karma
Reply

ZimmermanC1
Explorer
‎09-26-2017 04:41 AM

Turns out I was close.

  [linux_audit_host]
  REGEX = ^node=(\S+)
  FORMAT = host::$1
  DEST_KEY = MetaData:Host
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...