Splunk Search

Where to search my monitored indexed log

SplunkUser5888
Path Finder

Hey guys,

I have written some stuff in the inputs.conf file and the fschange stuff works but I can't find the logs that I'm trying to monitor. Am I having conflicts with fschange? What should I search to find my monitored logs?

Any help would be appreciated.

[default]
host = server2003-splu

[script://$SPLUNK_HOME\bin\scripts\splunk-perform.path]
disabled = 0

[fschange:C:\Documents and Settings\Administrator\Local Settings]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[fschange:C:\Documents and Settings\All Users]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[fschange:C:\WINDOWS\system32]
index = _audit
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

[monitor://C:\GMER_Rootkit_logs]

SplunkUser

Tags (1)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Can you try the direct path to one of your files and see if you get anything? I assume the search time you are using is 'All time'. If the time stamp that you are picking up is recognized incorrectly it might be getting indexed as an older time therefore if you were searching in the last 24 hours or something you would not see it. I've seen stranger things happen with time stamps.

View solution in original post

0 Karma

tskinnerivsec
Contributor

From the Monitor changes to your filesystem section of the Getting Data In document:

"If you have signedaudit=true , the file system change audit event will be indexed into the audit index (index=_audit). If signedaudit is not turned on, by default, the events are written to the main index unless you specify another index."

in your above config, you have signedaudit set to false.

0 Karma

SplunkUser5888
Path Finder

That's for fschange which works fine, i'm having issues with monitor, i just added fschange in there to see if people thought it was an issue with directories, thanks anyway

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Can you try the direct path to one of your files and see if you get anything? I assume the search time you are using is 'All time'. If the time stamp that you are picking up is recognized incorrectly it might be getting indexed as an older time therefore if you were searching in the last 24 hours or something you would not see it. I've seen stranger things happen with time stamps.

0 Karma

SplunkUser5888
Path Finder

Thank you, a simple source=*.log got what I was looking for.

Thank you very much

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Also, here is a link on the Wiki for troubleshooting. You may see something here that you haven't thought of as well.

http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

sdaniels
Splunk Employee
Splunk Employee

You would need the part not with 'OR' to be in brackets. Make it simpler, the monitor will put the logs in the 'main' index so no need to include that. Just search on source="*.log" and see if you get anything over "All time" for the log files you are looking for.

SplunkUser5888
Path Finder

Well i think the fact that my splunk server isn't set up well for time won't help that.

nothing found when I search

host=server2003-splu C:\GMER_Rootkit_logs\123.log
or
host=server2003-splu C:\GMER_Rootkit_logs
or
host=server2003-splu index=_audit C:\GMER_Rootkit_logs\123.log
or
host=server2003-splu index=main C:\GMER_Rootkit_logs\123.log

on All Time

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...