Getting Data In

Tuning my linux_secure sourcetype

daniel333
Builder

All,

I am seeing parsing queue slow downs when large sets of linux_secure data comes in. After talking with support we decided that the default timestamp of "auto" was a bad idea for us. So I am rewriting the props.conf file for linux_secure

[linux_secure2]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 27
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%m:%S.%q
TIME_PREFIX = ^
TZ = GMT
category = Operating System
description = Format for the /var/log/secure file containing all security related messages on a Linux machine
disabled = false
pulldown_type = true

How ever when I run this, all my events come stamped at 4:00. Any idea where I went wrong?

Here is an example log

2019-12-17T23:01:36.259901+00:00 ssomehost.somedomain.local sudo:   ambari : TTY=unknown ; PWD=/var/lib/ambari-agent ; USER=root ; ENV=PATH=/usr/sbin:/sbin:/usr/lib/ambari-server/*:/usr/hdp/current/hadoop-client/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/chef/bin:/var/lib/ambari-agent ; COMMAND=/usr/bin/test -f /disk11
0 Karma
1 Solution

daniel333
Builder

Ah! Lowercase 'm' I see it now.

View solution in original post

0 Karma

daniel333
Builder

Ah! Lowercase 'm' I see it now.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...