According to the Splunk documentation some sourcetypes will be automatically recognized. This includes linux_secure. However, in my environment none of the fields are recognized. It is normal that pretrained sourcetypes wouldn't have any field extraction established? I'm willing to do the field extraction myself if this is normal. However, I suspect that maybe something is broken and the field extraction should already be done for known / pretrained sourcetypes (like linux_secure).
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Listofpretrainedsourcetypes
I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).
There is now a dedicated and certified app for Linux Secure: https://splunkbase.splunk.com/app/3476/
I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).
The pre-trained sourcetypes are already defined, but they will not alway be automatically recognized. Those are two different things.
linux_secure
is based on syslog and has a very similar pattern. So Splunk will not usually be able to automatically recognize it. Set the sourcetype in inputs.conf.
Thanks for the reply. We're using the universal forwarder on these systems and Splunk did automatically recognize the log as sourcetype=linux_secure. However, the part that is missing (maybe it's normal) is field extraction.
I am having the same problem in my lab. Here is my inputs.conf file for the nix TA
cat /opt/splunk/etc/apps/Splunk_TA_nix/local/inputs.conf
[monitor:///etc]
disabled = false
[monitor:///var/adm]
disabled = false
[monitor:///home/*/.bash_history]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]
disabled = false
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]
disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false
@jeremyarcher You're adding on to a question that is more than three years old and has an accepted answer. For better chances at getting help, please post a new question describing your problem.
Can you able to search for the logs in search head ? did u take a look at the sourcetype ?
Did u try to validate your inputs.conf & outputs.conf ?
Provide more info. to locate the issue
Yes, I can find the logs in question using:
sourcetype=linux_secure
However, Splunk does not find or extract any field data from the recognized sourcetype.