Knowledge Management

Unix events shows upp in all events

fisk12
Path Finder

I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.

like this. for every event.

eventtype=auditd Options|
eventtype=cpu Options|
eventtype=df check df host success Options|
eventtype=hardware Options|
eventtype=interfaces Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lastlog Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=openPorts Options|
eventtype=package Options|
eventtype=protocol Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=unix-all-logs Options|
eventtype=usersWithLoginPrivs Options|
eventtype=vmstat memory report resource success vmstat Options|
eventtype=who Options

0 Karma

stech169
New Member

You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in //etc/app/unix/default/eventtypes.conf, you don't get any eventtypes for device syslogs. Or look at the stanza for [unix-all-logs] and remove the search parameters that would hit your device syslog files.

In unix app 4.5, I modified as follows:

OLD:
[nix-all-logs]
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

NEW:
[nix-all-logs]
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

0 Karma

yaraslau_haradz
New Member

Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk

0 Karma

fisk12
Path Finder

Anyone have any idea?

0 Karma

fisk12
Path Finder

Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.

search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m

[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"

[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical

How should i set this to get rid of the "unix-all-logs" event?

0 Karma

fisk12
Path Finder

Anyone have any ideas?

0 Karma

southeringtonp
Motivator

The unix app has a known issue with incorrectly defined eventtypes.

Take a look at this thread:
      http://answers.splunk.com/questions/9194/results-returning-wrong-eventtypes

The gist is that you need to override each of the affected eventtypes and add the missing search= before the search strings.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.