Getting Data In

Logging tripwire reports

Ekrell
New Member

In my setup, I have two machines running Ubuntu Linux. On one, I have Splunk and the other I have running the universal forwarder. Both seem to be working. On the remote box, I run an IDS called Tripwire that stores its logs in a directory /var/lib/tripwire/report. Each report is a separate file in the dir. I added the directory using "add monitor" in the universal forwarder. What I assumed would happen is that newly added files would be logged in Splunk. When I run a tripwire check, the file is created. In Splunk, the only record is that /var/log/messages is updated with a short entry saying that tripwire has been run and the name/timestamp of the newly created file. This is not good enough, as I want to be able to see the entire report from the Splunk server and be able to search those contents (to trigger alerts). Is my understanding of what directory monitoring is Splunk does completely off? I assumed it to send a notification of any additions/changes to files in the monitored directories. Or is my implementation incorrect?

I also tried another method; since the logging of /var/log/messages worked, I created a /var/trip/tripwire/log where each tripwire report would be appended to. I added that with "add monitor" command, but this hasn't done anything either.

0 Karma
1 Solution

Ayn
Legend

Your understanding about how file/directory monitor inputs sounds correct to me. When you add a file or directory to be monitored, Splunk will pick up data in that file (or in the case of a directory, any files in that directory or its subdirectories).

If you're not seeing data from files you've added to be monitored, something is wrong. Could be a permissions issue, could be that the data is really coming in but timestamps are recognized incorrectly so you're just missing it by searching the "wrong" time period. Two things that are very good for troubleshooting inputs:
- Check splunkd.log (in $SPLUNK_HOME/var/log/splunk) for errors related to the input.
- Run this script that shows the status of all inputs on the monitoring Splunk instance in question: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

View solution in original post

0 Karma

JimWachhaus
Path Finder

Have you looked at using Tripwire Enterprise?

0 Karma

Ayn
Legend

Your understanding about how file/directory monitor inputs sounds correct to me. When you add a file or directory to be monitored, Splunk will pick up data in that file (or in the case of a directory, any files in that directory or its subdirectories).

If you're not seeing data from files you've added to be monitored, something is wrong. Could be a permissions issue, could be that the data is really coming in but timestamps are recognized incorrectly so you're just missing it by searching the "wrong" time period. Two things that are very good for troubleshooting inputs:
- Check splunkd.log (in $SPLUNK_HOME/var/log/splunk) for errors related to the input.
- Run this script that shows the status of all inputs on the monitoring Splunk instance in question: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.