Splunk Search

sourcetype linux_secure fields not extracted

Path Finder

According to the Splunk documentation some sourcetypes will be automatically recognized. This includes linux_secure. However, in my environment none of the fields are recognized. It is normal that pretrained sourcetypes wouldn't have any field extraction established? I'm willing to do the field extraction myself if this is normal. However, I suspect that maybe something is broken and the field extraction should already be done for known / pretrained sourcetypes (like linux_secure).

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Listofpretrainedsourcetypes

0 Karma
1 Solution

Path Finder

I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).

https://splunkbase.splunk.com/app/833/

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

There is now a dedicated and certified app for Linux Secure: https://splunkbase.splunk.com/app/3476/

0 Karma

Path Finder

I installed this addon and it resolved the issue (Splunk Add-on for Unix and Linux).

https://splunkbase.splunk.com/app/833/

View solution in original post

0 Karma

Legend

The pre-trained sourcetypes are already defined, but they will not alway be automatically recognized. Those are two different things.

linux_secure is based on syslog and has a very similar pattern. So Splunk will not usually be able to automatically recognize it. Set the sourcetype in inputs.conf.

0 Karma

Path Finder

Thanks for the reply. We're using the universal forwarder on these systems and Splunk did automatically recognize the log as sourcetype=linux_secure. However, the part that is missing (maybe it's normal) is field extraction.

0 Karma

New Member

I am having the same problem in my lab. Here is my inputs.conf file for the nix TA

cat /opt/splunk/etc/apps/Splunk_TA_nix/local/inputs.conf
[monitor:///etc]
disabled = false

[monitor:///var/adm]
disabled = false

[monitor:///home/*/.bash_history]
disabled = false

[script://./bin/bandwidth.sh]
disabled = false

[monitor:///root/.bash_history]
disabled = false

[monitor:///Library/Logs]
disabled = false

[script://./bin/cpu.sh]
disabled = false

[script://./bin/df.sh]
disabled = false

[script://./bin/hardware.sh]
disabled = false

[script://./bin/interfaces.sh]
disabled = false

[script://./bin/iostat.sh]
disabled = false

[script://./bin/lastlog.sh]
disabled = false

[script://./bin/lsof.sh]
disabled = false

[script://./bin/netstat.sh]
disabled = false

[script://./bin/openPorts.sh]
disabled = false

[script://./bin/openPortsEnhanced.sh]
disabled = false

[script://./bin/package.sh]
disabled = false

[script://./bin/passwd.sh]
disabled = false

[script://./bin/protocol.sh]
disabled = false

[script://./bin/ps.sh]
disabled = false

[script://./bin/rlog.sh]
disabled = false

[script://./bin/selinuxChecker.sh]
disabled = false

[script://./bin/service.sh]
disabled = false

[script://./bin/sshdChecker.sh]
disabled = false

[script://./bin/time.sh]
disabled = false

[script://./bin/top.sh]
disabled = false

[script://./bin/update.sh]
disabled = false

[script://./bin/uptime.sh]
disabled = false

[script://./bin/usersWithLoginPrivs.sh]
disabled = false

[script://./bin/version.sh]
disabled = false

[script://./bin/vmstat.sh]
disabled = false

[script://./bin/vsftpdChecker.sh]
disabled = false

[script://./bin/who.sh]
disabled = false

0 Karma

SplunkTrust
SplunkTrust

@jeremyarcher You're adding on to a question that is more than three years old and has an accepted answer. For better chances at getting help, please post a new question describing your problem.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

Can you able to search for the logs in search head ? did u take a look at the sourcetype ?

Did u try to validate your inputs.conf & outputs.conf ?

Provide more info. to locate the issue

0 Karma

Path Finder

Yes, I can find the logs in question using:

sourcetype=linux_secure

However, Splunk does not find or extract any field data from the recognized sourcetype.

0 Karma