*nix app and permissions.


This is largely an observation unless i am missing something: on the *nix app of the free version of splunk some files in /var/log directory are exculded from being logged. In fact, the entire /var/log data input is disabled to begin with. Other files and subdirectories are whitelisted and therefore indexable by splunk.

This may become problematic when one wants to see, say, "failed logins" (under Users, Failed Logins menu item in the *nix App). First, the /var/log input must be enabled, second, the/var/log/secure log file should be whitelisted and third, splunk should run as a user with at least read privileges on said locations.

Is there a more direct way of accomplishing this?

  • dritan

Splunk Employee
Splunk Employee

First, to enable the inputs you need to go through the setup of the unix, in Manager > Apps and then click on the Setup link in the Unix app

Second, to get the required data sources (from /var/log) into splunk you'll need to edit the default whitelist under Manager » Data inputs » Files & Directories » /var/log - to index everything simply set this to .*

Not indexing the required data sources to populate the dashboards is a bug, and I've filed an issue SPL-33801

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!