All,
I have a clean install of Splunk ES with the latest Splunk App For Nix enabled. The Account Management dashboard is not populating in a useful.
I have this log event which is my test -
Apr 10 19:44:10 myhost useradd[5965]: new user: name=mysql, UID=997, GID=994, home=/var/lib/mysql, shell=/bin/bash
SHOULD pull field extraction from this out of the box transform stanza -
[useradd]
REGEX = .*?((new) (user|group|account))(?:: | (?:added) - )(?:name|account)=(\w+),
FORMAT = vendor_action::$1 object_category::$3 name::$4 user::$4
I confirmed you stanza SHOULD work in regex101.com
Can you help me understand why this isn't working as I expect? I believe users added, removed, groups added, removed should appear here by who executed the command.
Can you also verify the sourcetype name in both application and in normal search? Also try running dashboard search manually and check which parameter is not match.
Also: the account management dashboard probably relies on the Change Analysis data model. So you may want to check if that is being populated correctly.
Ended up finding the default lookup tables were missing entries for my OS. Aftermanually adding them I was set. Send in the missing elements to support to maybe they'll make their way into the next release.