Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Logging tripwire reports
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my setup, I have two machines running Ubuntu Linux. On one, I have Splunk and the other I have running the universal forwarder. Both seem to be working. On the remote box, I run an IDS called Tripwire that stores its logs in a directory /var/lib/tripwire/report. Each report is a separate file in the dir. I added the directory using "add monitor" in the universal forwarder. What I assumed would happen is that newly added files would be logged in Splunk. When I run a tripwire check, the file is created. In Splunk, the only record is that /var/log/messages is updated with a short entry saying that tripwire has been run and the name/timestamp of the newly created file. This is not good enough, as I want to be able to see the entire report from the Splunk server and be able to search those contents (to trigger alerts). Is my understanding of what directory monitoring is Splunk does completely off? I assumed it to send a notification of any additions/changes to files in the monitored directories. Or is my implementation incorrect?
I also tried another method; since the logging of /var/log/messages worked, I created a /var/trip/tripwire/log where each tripwire report would be appended to. I added that with "add monitor" command, but this hasn't done anything either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding about how file/directory monitor inputs sounds correct to me. When you add a file or directory to be monitored, Splunk will pick up data in that file (or in the case of a directory, any files in that directory or its subdirectories).
If you're not seeing data from files you've added to be monitored, something is wrong. Could be a permissions issue, could be that the data is really coming in but timestamps are recognized incorrectly so you're just missing it by searching the "wrong" time period. Two things that are very good for troubleshooting inputs:
- Check splunkd.log (in $SPLUNK_HOME/var/log/splunk) for errors related to the input.
- Run this script that shows the status of all inputs on the monitoring Splunk instance in question: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at using Tripwire Enterprise?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding about how file/directory monitor inputs sounds correct to me. When you add a file or directory to be monitored, Splunk will pick up data in that file (or in the case of a directory, any files in that directory or its subdirectories).
If you're not seeing data from files you've added to be monitored, something is wrong. Could be a permissions issue, could be that the data is really coming in but timestamps are recognized incorrectly so you're just missing it by searching the "wrong" time period. Two things that are very good for troubleshooting inputs:
- Check splunkd.log (in $SPLUNK_HOME/var/log/splunk) for errors related to the input.
- Run this script that shows the status of all inputs on the monitoring Splunk instance in question: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
