I need help on correlating several distinct events and different fields (4 fields) linking to each events and doing it without the transaction command because of the performance cost.
event 1 --- field of interest 'msg' ie."msg=audit(1406101599.298:11965)" --- "source=/var/log/audit/audit.log"
node=nodesrv0001
type=PATH
msg=audit(1406101599.298:11965):
item=0 name="/etc/group"
inode=280905 dev=fd:01 mode=0100644
ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
event 2 --- field of interest 'auid' ie."auid=4294967295" --- "source=/var/log/audit/audit.log"
node=nodesrv0001
type=SYSCALL
msg=audit(1406101599.298:11965):
arch=c000003e syscall=90 success=yes exit=0
a0=1bf1ce0 a1=81a4 a2=48ed57 a3=0
items=1
ppid=27177 pid=27230
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="vi" exe="/bin/vi"
key="Access-change"
event 3 --- field of interest 'pid' ie."pid=27016" --- "source=/var/log/audit/audit.log"
node=nodesrv0001
type=SYSCALL
msg=audit(1406101460.101:11730):
arch=c000003e syscall=2 success=yes exit=4
a0=495340 a1=1 a2=2 a3=8
items=1
ppid=27015 pid=27016
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="pblocald" exe="/usr/sbin/pblocald"
key="logins"
event 4 --- (the link with previous event is pblocald[27016] extracted and aliased to 'pid') --- field of interest 'uniqueid' ie."uniqueid: 0a411a8c53cf67cd5202" --- "source=/var/log/audit/audit.log"
2014-07-23T08:44:20.102759+01:00
nodesrv0001
pblocald[27016]:
pblocald[27015]:
PowerBroker started bash on 2014/07/23 at 8:44,
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF
event 5 ---
2014-07-23T08:44:19.952255+01:00
nodesrv0001
pblocald8.0.0-10:
pblocald[27015]:
PowerBroker accepted bash on 2014/07/23 at 08:44:13 BST,
submitted by sa_jdoe on srv0094
run by root on nodesrv0001
Logserver: logsrv0001 logsrv0002
iolog:/apps/powerbroker/iologs/2014/07/23/084419.sa_jdoe.nodesrv0001.root.bash
ticket_string:
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF
Hi MarioM,
usually I use stats, chart, streamstats or eventstats
for something like this. Also take a look at this post to get some examples http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...
hope this helps ...
cheers, MuS