Getting Data In

configure field extractions props.conf/transforms.conf for syslog

huaraz
Explorer

Hi,

How would I configure field extraction for syslog messages. I have for example the following in my syslog.

Mar 04 21:38:33 opensuse13 su[2749]: (to root) markus on pts/0
Mar 04 21:38:33 opensuse13 su[2749]: pam_unix(su-l:session): session opened for user root by markus(uid=1000)
Mar 04 21:45:26 opensuse13 sftp-server[3130]: error: Unknown extended request "home-directory"
Mar 04 22:33:08 opensuse13 su[2749]: pam_unix(su-l:session): session closed for user root
Mar 13 22:18:51 opensuse13 sftp-server[39633]: error: Unknown extended request "home-directory"
Mar 21 13:06:14 opensuse13 su[898]: (to root) markus on pts/6
Mar 21 13:06:14 opensuse13 su[898]: pam_unix(su:session): session opened for user root by markus(uid=1000)
Mar 21 13:13:57 opensuse13 su[898]: pam_unix(su:session): session closed for user root
Mar 30 20:02:42 opensuse13 sshd[40536]: Received disconnect from 192.168.1.24: 11: disconnected by user
Mar 30 20:02:52 opensuse13 sshd[40577]: Received disconnect from 192.168.1.24: 11: disconnected by user
Mar 30 20:03:06 opensuse13 sshd[40616]: Received disconnect from 192.168.1.24: 11: disconnected by user

I am thinking to use different regexs for field extraction depending on daemon. So I can run report on su (i.e. which user logged in as root and how often) on sshd ( .e.g. which user came from which client ips).

Thank you
Markus

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Look at the Splunk for NIX add on at apps.splunk.com. It already has the extractions for syslog based Unix/Linux logs that you are trying to do right now.
Additionally, you can see numerous examples of the different knowledge objects used to break out sourcetypes based on regex patterns.

0 Karma

huaraz
Explorer

Which one ? There are several.

Thank you
Markus

0 Karma