Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unix events shows upp in all events

fisk12
Path Finder
‎12-04-2010 11:53 PM

I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.

like this. for every event.

eventtype=auditd Options|
eventtype=cpu Options|
eventtype=df check df host success Options|
eventtype=hardware Options|
eventtype=interfaces Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lastlog Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=openPorts Options|
eventtype=package Options|
eventtype=protocol Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=unix-all-logs Options|
eventtype=usersWithLoginPrivs Options|
eventtype=vmstat memory report resource success vmstat Options|
eventtype=who Options

0 Karma
Reply

stech169
New Member
‎02-27-2012 11:53 AM

You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in //etc/app/unix/default/eventtypes.conf, you don't get any eventtypes for device syslogs. Or look at the stanza for [unix-all-logs] and remove the search parameters that would hit your device syslog files.

In unix app 4.5, I modified as follows:

OLD:
[nix-all-logs]
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

NEW:
[nix-all-logs]
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

0 Karma
Reply

yaraslau_haradz
New Member
‎03-16-2017 08:50 PM

Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk

0 Karma
Reply

fisk12
Path Finder
‎12-16-2010 07:28 PM

Anyone have any idea?

0 Karma
Reply

fisk12
Path Finder
‎12-05-2010 08:55 PM

Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.

search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m

[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"

[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical

How should i set this to get rid of the "unix-all-logs" event?

0 Karma
Reply

fisk12
Path Finder
‎12-11-2010 11:59 PM

Anyone have any ideas?

0 Karma
Reply

southeringtonp
Motivator
‎12-05-2010 01:45 AM

The unix app has a known issue with incorrectly defined eventtypes.

Take a look at this thread:
      http://answers.splunk.com/questions/9194/results-returning-wrong-eventtypes

The gist is that you need to override each of the affected eventtypes and add the missing search= before the search strings.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...