I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.
like this. for every event.
eventtype=df check df host success Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=vmstat memory report resource success vmstat Options|
You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in /
In unix app 4.5, I modified as follows:
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog
Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.
search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m
[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"
[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical
How should i set this to get rid of the "unix-all-logs" event?
The unix app has a known issue with incorrectly defined eventtypes.
Take a look at this thread:
The gist is that you need to override each of the affected eventtypes and add the missing
search= before the search strings.