Splunk Search
Highlighted

Is there a default sourcetype for /opt/log/www1/secure.log?

Contributor

Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?

source_ip is easy because of the format

user is a little bit tricky because of different format of log lines

Example events -

Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)

In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?

0 Karma
Highlighted

Re: Is there a default sourcetype for /opt/log/www1/secure.log?

Legend

Hi jagadeeshm,
have you seen:

In these apps you can find all the usual definition for unix.

Bye.
Giuseppe

0 Karma
Highlighted

Re: Is there a default sourcetype for /opt/log/www1/secure.log?

Esteemed Legend

If you are ONLY using this file, then you need this TA:

https://splunkbase.splunk.com/app/3476/

View solution in original post