Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk unable to assign reasonable sourcetype to Solaris 10 BSM audit file that has been converted to ASCII

cmeyers
Explorer
‎12-11-2015 02:03 PM

I am indexing a couple hundred Solaris 10 BSM audit files a day. The audit files are converted to ASCII. It handles the indexing and host assignment just fine, but when it comes to the sourcetype, it gives me all sorts of crazy results. I have the sourcetype be assigned automatically during the index. There are many field extractions that I want to configure but it would be illogical to use the automatically assigned sourcetypes as it would take 2-3 fields per host. And due to the volume of sources, it wouldn't make sense to assign them by host either.

Example of what sort of sourcetypes I am seeing would be HostnameA's audit file would not only have a sourcetype of another Hostname, but the logs within that audit file would be assigned (what seems like randomly) to HostnameB-2 and HostnameB-3.

Hopefully this all makes sense, it is a rather frustrating issue. Any help would be greatly appreciated!

0 Karma
Reply

dwalgamotte
New Member
‎03-10-2016 12:32 PM

try the bsm_audit TA

0 Karma
Reply

lguinn2
Legend
‎12-12-2015 09:45 AM

Set the sourcetypes manually. You can set them in inputs.conf. If that is not practical, put the sourcetype settings in a props.conf file in the same directory as the inputs.conf. Setting the sourcetype happens at input time - at index time, it is more difficult to override the sourcetype.

If you are collecting all the logs by directory, your inputs.conf will contain something like this:

[monitor::/var/log]

Clearly, you can't just set the sourcetype here, as there are a variety of sourcetypes in the single directory. In this case, you will need to do something like this in props.conf

[source::*audit.log]
sourcetype=linux_audit

You should also look at the Splunk pretrained sourcetypes. In addition, that documentation page links to "how to override automatic sourcetypes" if this explanation is not enough.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...