This is my local/eventtypes.conf file
[juniper_sslvpn_auth]
search = sourcetype=juniper_sslvpn_mag "authentication successful" OR "authentication failed"
[juniper_sslvpn_authz]
priority = 6
search = sourcetype=juniper_sslvpn_mag "WebRequest Completed" OR "Closed Connection"
[juniper_sslvpn_auth_failed]
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "Primary authentication failed"
[juniper_sslvpn_auth_successful]
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "Primary authentication successful"
[juniper_sslvpn_webrequest]
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "WebRequest"
[juniper_sslvpn_webrequest_sso_successful]
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "Web SSO: Authentication successful"
The juniper_sslvpn_mag eventtypes are disabled. When I run
/apps/splunk/bin/splunk btool eventtypes list | less
and grep for juniper, all I get is
[juniper_sslvpn_auth_failed]
color =
description =
disabled = 0
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "Primary authentication failed"
tags =
[juniper_sslvpn_auth_successful]
color =
description =
disabled = 0
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "Primary authentication successful"
tags =
[juniper_sslvpn_webrequest]
color =
description =
disabled = 0
priority = 5
search = index=vpn sourcetype=juniper:sslvpn "WebRequest"
tags =
I can't see any reason why the final stanza in local/eventtypes.conf is not found by btool. Any ideas?
TIA,
Joe
Have a try by
$SPLUNK_HOME/bin/splunk cmd btool eventtypes list --debug > /tmp/eventtypes.btool
and then physically check in the output file to see if anything missing.
Have a try by
$SPLUNK_HOME/bin/splunk cmd btool eventtypes list --debug > /tmp/eventtypes.btool
and then physically check in the output file to see if anything missing.
Hi Koshyk,
The debug option helped me figure out what is going on with the eventtypes.conf. I have a precedence issue I have to figure out. Another day of learning. Nice to know about the --debug option.
Joe
thanks mate. I've put it an answer , if you can please upvote/accept it.