Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiline logs coming in single log

pm2012
Explorer
‎02-26-2024 08:06 PM

Hi SMEs, there are logs coming from one of the application in one single event. How to split it in a seperate log event. Like there are 3 diff logs which are tagged to one event log

type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12221): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12223): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12229): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 11:33 PM

1. It's a linux auditd log so you might want to use an add-on for auditd. That will make everyone's lives easier 😉

2. How are you ingesting those logs? Locally by forwarder reading from /var/log/audit/auditd.log? Sent with syslog over the network? Whatever?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top