Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk unable to assign reasonable sourcetype to Solaris 10 BSM audit file that has been converted to ASCII

cmeyers
Explorer
‎12-11-2015 02:03 PM

I am indexing a couple hundred Solaris 10 BSM audit files a day. The audit files are converted to ASCII. It handles the indexing and host assignment just fine, but when it comes to the sourcetype, it gives me all sorts of crazy results. I have the sourcetype be assigned automatically during the index. There are many field extractions that I want to configure but it would be illogical to use the automatically assigned sourcetypes as it would take 2-3 fields per host. And due to the volume of sources, it wouldn't make sense to assign them by host either.

Example of what sort of sourcetypes I am seeing would be HostnameA's audit file would not only have a sourcetype of another Hostname, but the logs within that audit file would be assigned (what seems like randomly) to HostnameB-2 and HostnameB-3.

Hopefully this all makes sense, it is a rather frustrating issue. Any help would be greatly appreciated!

0 Karma
Reply

dwalgamotte
New Member
‎03-10-2016 12:32 PM

try the bsm_audit TA

0 Karma
Reply

lguinn2
Legend
‎12-12-2015 09:45 AM

Set the sourcetypes manually. You can set them in inputs.conf. If that is not practical, put the sourcetype settings in a props.conf file in the same directory as the inputs.conf. Setting the sourcetype happens at input time - at index time, it is more difficult to override the sourcetype.

If you are collecting all the logs by directory, your inputs.conf will contain something like this:

[monitor::/var/log]

Clearly, you can't just set the sourcetype here, as there are a variety of sourcetypes in the single directory. In this case, you will need to do something like this in props.conf

[source::*audit.log]
sourcetype=linux_audit

You should also look at the Splunk pretrained sourcetypes. In addition, that documentation page links to "how to override automatic sourcetypes" if this explanation is not enough.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...