- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: sourcetype linux_secure fields not extracted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the Splunk documentation some sourcetypes will be automatically recognized. This includes linux_secure. However, in my environment none of the fields are recognized. It is normal that pretrained sourcetypes wouldn't have any field extraction established? I'm willing to do the field extraction myself if this is normal. However, I suspect that maybe something is broken and the field extraction should already be done for known / pretrained sourcetypes (like linux_secure).
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Listofpretrainedsourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is now a dedicated and certified app for Linux Secure: https://splunkbase.splunk.com/app/3476/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The pre-trained sourcetypes are already defined, but they will not alway be automatically recognized. Those are two different things.
linux_secure is based on syslog and has a very similar pattern. So Splunk will not usually be able to automatically recognize it. Set the sourcetype in inputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. We're using the universal forwarder on these systems and Splunk did automatically recognize the log as sourcetype=linux_secure. However, the part that is missing (maybe it's normal) is field extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same problem in my lab. Here is my inputs.conf file for the nix TA
cat /opt/splunk/etc/apps/Splunk_TA_nix/local/inputs.conf
[monitor:///etc]
disabled = false
[monitor:///var/adm]
disabled = false
[monitor:///home/*/.bash_history]
disabled = false
[script://./bin/bandwidth.sh]
disabled = false
[monitor:///root/.bash_history]
disabled = false
[monitor:///Library/Logs]
disabled = false
[script://./bin/cpu.sh]
disabled = false
[script://./bin/df.sh]
disabled = false
[script://./bin/hardware.sh]
disabled = false
[script://./bin/interfaces.sh]
disabled = false
[script://./bin/iostat.sh]
disabled = false
[script://./bin/lastlog.sh]
disabled = false
[script://./bin/lsof.sh]
disabled = false
[script://./bin/netstat.sh]
disabled = false
[script://./bin/openPorts.sh]
disabled = false
[script://./bin/openPortsEnhanced.sh]
disabled = false
[script://./bin/package.sh]
disabled = false
[script://./bin/passwd.sh]
disabled = false
[script://./bin/protocol.sh]
disabled = false
[script://./bin/ps.sh]
disabled = false
[script://./bin/rlog.sh]
disabled = false
[script://./bin/selinuxChecker.sh]
disabled = false
[script://./bin/service.sh]
disabled = false
[script://./bin/sshdChecker.sh]
disabled = false
[script://./bin/time.sh]
disabled = false
[script://./bin/top.sh]
disabled = false
[script://./bin/update.sh]
disabled = false
[script://./bin/uptime.sh]
disabled = false
[script://./bin/usersWithLoginPrivs.sh]
disabled = false
[script://./bin/version.sh]
disabled = false
[script://./bin/vmstat.sh]
disabled = false
[script://./bin/vsftpdChecker.sh]
disabled = false
[script://./bin/who.sh]
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jeremyarcher You're adding on to a question that is more than three years old and has an accepted answer. For better chances at getting help, please post a new question describing your problem.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you able to search for the logs in search head ? did u take a look at the sourcetype ?
Did u try to validate your inputs.conf & outputs.conf ?
Provide more info. to locate the issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I can find the logs in question using:
sourcetype=linux_secure
However, Splunk does not find or extract any field data from the recognized sourcetype.
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
