Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me understand why my /var/log/secure useradd field extractions are not working as expected?

daniel333
Builder
‎04-10-2018 02:05 PM

All,

I have a clean install of Splunk ES with the latest Splunk App For Nix enabled. The Account Management dashboard is not populating in a useful.

I have this log event which is my test -
Apr 10 19:44:10 myhost useradd[5965]: new user: name=mysql, UID=997, GID=994, home=/var/lib/mysql, shell=/bin/bash

SHOULD pull field extraction from this out of the box transform stanza -

[useradd]
REGEX = .*?((new) (user|group|account))(?:: | (?:added) - )(?:name|account)=(\w+),
FORMAT = vendor_action::$1 object_category::$3 name::$4 user::$4

I confirmed you stanza SHOULD work in regex101.com

Can you help me understand why this isn't working as I expect? I believe users added, removed, groups added, removed should appear here by who executed the command.

0 Karma
Reply

p_gurav
Champion
‎04-10-2018 09:48 PM

Can you also verify the sourcetype name in both application and in normal search? Also try running dashboard search manually and check which parameter is not match.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-11-2018 12:26 AM

Also: the account management dashboard probably relies on the Change Analysis data model. So you may want to check if that is being populated correctly.

0 Karma
Reply

daniel333
Builder
‎04-11-2018 03:34 PM

Ended up finding the default lookup tables were missing entries for my OS. Aftermanually adding them I was set. Send in the missing elements to support to maybe they'll make their way into the next release.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...