Getting Data In

/var/tmp files seem to be created by Splunk. Why?

clyde772
Communicator

Any gurus know why there are files created in /var/tmp/ folder by Splunk?

splunk@splunk:/var/tmp> more ddtb5535964469493924781.tmp ??USTOMER-VXTBTO?0-0A-E6-B0-F9-4F?USTOMER-VXTBTO?L10.35.10.133窒?ILE?rojan.Downloader.1938.A質2005-06-29 18:03:03. 0?005-06-29 18:03:03.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\meminf.exe????? ? ??????窒窒窒窒窒 窒1窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?ILE?ackdoor.BotGet.FtpB.Gen質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\2pac.txt?? ?? ??????窒窒窒窒窒窒1窒??????? Connectswitch質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKCU\Software\Netscape\Netscape N avigator\User Trusted External Applications ""=""?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3 Connectswitch?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dwa re.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\WildTangent CDA?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L 10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\W TVis.WTVisSender.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY ?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisSender?? ? ? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質 2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver.1?? ?? ???L???? ???? ?? 窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39. 0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver?? ?? ???L???? ???? ??窒窒窒窒窒? ?窒?0??????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:3 9.0?005-06-28.01 (185480)?6842754?KCR\WT3D.WT.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?1??????0-0A-E6-A6 -CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)窒 16842754?LHKCR\WT3D.WT?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?2??????0-0A-E6-A6-CD-C3????L10.35.10.126? 窒SPY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WT.WTMultiplaye

the file looks like above. Which looks like the files we are indexing.

  1. What could this file be?
  2. How can we avoid the files to pile up in /var/tmp dir again?

Thanks for your help

0 Karma

jrodman
Splunk Employee
Splunk Employee
  1. Splunk does use the platform-provided tmpfile() function for some purposes.
  2. It's possible that tmpfile() may be configured in your platform to use /var/tmp.
  3. The tmpfile() call ensures that the file is deleted on close or program exit. This is a platform guarantee, not a Splunk code guarantee.

Overall, it's quite unlikely that any pile-up is caused by the Splunk built-in operation. You may want to review any scripted inputs you have, or alert scripts.

I would also recommend using system tools such as lsof, auditing, and fuser to evaluate which processes have these temp files open, if any, and investigating those processes.

gkanapathy
Splunk Employee
Splunk Employee

What is it about these files the leads you to believe they are created by Splunk? Splunk doesn't generally write anything into /var/tmp unless there is some script or process that you create and configure Splunk to run that specifically does so.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...