Hi,
I have a UNIX server Solaris 8 that ac/behave like a Splunk Proxy server for 2 other UNIX servers Solaris 8.
In other words the 2 Solaris servers send the syslog file to the UNIX Solaris Proxy server.
I am trying to create a query that will shows the events coming from the 2 UNIX Solaris 8 servers.
I run the below query for example:
index=nix* serverproxy*
| eval Status=if(like(source, "%FirstUNIXSolaris8%"), 1, 0)
I am not getting any event that will show the FirstUNIX Solaris8 name/hostname.
Please any suggestion how to create the specific query ?
Thanks, Regards.
Roberto
What do your events look like once they are indexed in splunk? Presumably, host is the proxy server and source is the syslog file? What other fields have been extracted?
Below is an example of Event when I run the query: index=nix* Proxyservername*
Source is /var/adm/messages and /var/log/secure (UNIX LOGS).
Selected fields are:
host
index
process
source
sourcetype
tag
********************************************
12/13/21
6:15:01.000 AM Column icon
Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )
host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/messages
sourcetype = syslog
›
12/13/21
6:15:01.000 AM Column icon
Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )
host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/secure
sourcetype = linux_secure
tag = os tag = unix
›
12/12/21
1:31:33.000 PM Column icon
Dec 12 08:31:33 PROXYserver root: [ID 702911 local1.info] ITSEC : UVSCAN : [uvscan check failed]
host = PROXYservr.lmtas.com
index = nixlogsec
process = root
source = /var/adm/messages
sourcetype = syslog
tag = error
›
12/10/21
9:44:31.000 PM Column icon
Dec 10 16:44:31 PROXYserver scsi: [ID 107833 kern.notice] ASC: 0x32 (no defect spare location available), ASCQ: 0x0, FRU: 0x9d
host = PROXYservr.lmtas.com
index = nixlogsec
process = scsi
source = /var/adm/messages
sourcetype = syslog
To me, it doesn't look like there is anything in the event that identifies which server is sending the syslog file to the proxy server. Unless you can see something?
You are correct, I do not see it either.
We are checking/verifying why we do not see any information that identifies which server (there are 2
UNIX server that are sending data to the Proxy server) is sending the syslog file to the proxy server.
I will update the "query"/messages as soon as I have the information.
Thanks.