Getting Data In

host is not being extracted from linux_secure

arsalanj
Path Finder

Hi there,

We are forwarding all of our /var/log/secure logs to a syslog server "syslogserver.local " and from there it's being forwarded to Splunk over a TCP port.
The Splunk is configured as a single instance.
in Data Inputs I created a TCP listener and the source type is linux_secure.

In the search app most of the fields are getting extracted except the hostname "myhost " .
The host field only shows the name of that syslog server instead of the name of the server that alert was generated.

<85>Apr 25 15:22:03 myhost unix_chkpwd[20316]: password check failed for user (jon.doe)
date_hour = 15 date_mday = 25 date_minute = 22 date_month = april date_second = 3 date_wday = thursday date_year = 2019 date_zone = local eventtype = err0r error eventtype = nix_errors error eventtype = nix_security os unix host = syslogserver local index = linux_index linecount = 1 pid = 20316 process = unix_chkpwd source = tcp:40515 sourcetype = linux_secure splunk_server = splunk.local src = syslogserver.local tag = error tag = os tag = unix timeendpos = 20 timestartpos = 4

As you can see, the value of the host and src are the same.
syslogserver.local is the server that aggregates all the syslogs. and there is no field that shows "myhost"

Any ideas of where the problem might be?

Tags (1)
0 Karma

arsalanj
Path Finder

I Just deleted both Splunk_TA_nix and TA-linux_secure.
My source type is syslog and it extracts the host values and I see no difference from when I had those TAs.

My selected fields and interesting fields are the same before and after deleting those TAs with syslog source type.

Now I'm wondering what difference does it make for having those TA's?

0 Karma

arsalanj
Path Finder

Hi @vishaltaneja07011993,

actually, I already have it installed, but it doesn't make any difference.
When the source type is syslog, it can extract the host values.
I already tried the following:
App context=TA-linux_secure with source type linux_secure
App context=Splunk_TA_nix with source type linux_secure
They both can't extract the host value.
But if I choose syslog as source type, it can extract the host value no matter what app context I select.
So what is the right of doing this?
shouldn't we change something in transform.conf or somewhere else?

0 Karma

vishaltaneja070
Motivator

Hello @arsalanj

Try this add-on specifically for Linux Secure
https://splunkbase.splunk.com/app/3476/

Mostly it will help you out

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...