Security

Query information

rballan2
Loves-to-Learn Lots

Hi,

I have a UNIX server Solaris 8 that ac/behave like a Splunk Proxy server for 2 other UNIX servers Solaris 8.

In other words the 2 Solaris servers send the syslog file to the UNIX Solaris Proxy server.

I am trying to create a query that will shows the events coming from the 2 UNIX Solaris 8 servers.

I run the below query for example:

index=nix* serverproxy*
| eval Status=if(like(source, "%FirstUNIXSolaris8%"), 1, 0)

I am not getting any event that will show the FirstUNIX Solaris8 name/hostname.

Please any suggestion how to create the specific query ?

Thanks, Regards.

Roberto

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do your events look like once they are indexed in splunk? Presumably, host is the proxy server and source is the syslog file? What other fields have been extracted?

0 Karma

rballan2
Loves-to-Learn Lots

Below is an example of Event when I run the query:  index=nix* Proxyservername*

Source is /var/adm/messages and /var/log/secure (UNIX LOGS).

Selected fields are:

host

index

process

source

sourcetype

tag

********************************************

12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/messages
sourcetype = syslog


12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/secure
sourcetype = linux_secure
tag = os tag = unix


12/12/21
1:31:33.000 PM Column icon

Dec 12 08:31:33 PROXYserver root: [ID 702911 local1.info] ITSEC : UVSCAN : [uvscan check failed]

host = PROXYservr.lmtas.com
index = nixlogsec
process = root
source = /var/adm/messages
sourcetype = syslog
tag = error


12/10/21
9:44:31.000 PM Column icon

Dec 10 16:44:31 PROXYserver scsi: [ID 107833 kern.notice] ASC: 0x32 (no defect spare location available), ASCQ: 0x0, FRU: 0x9d

host = PROXYservr.lmtas.com
index = nixlogsec
process = scsi
source = /var/adm/messages
sourcetype = syslog

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

To me, it doesn't look like there is anything in the event that identifies which server is sending the syslog file to the proxy server. Unless you can see something?

0 Karma

rballan2
Loves-to-Learn Lots

You are correct, I do not see it either.

We are checking/verifying why we do not see any information that identifies which server (there are 2

UNIX server that are sending data to the Proxy server) is sending the syslog file to the proxy server.

I will update the "query"/messages  as soon as I have the information.

Thanks.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...