Splunk Search

teach splunk to read data from log

fisk12
Path Finder

I have syslog from a server sending me logs from /var/log/secure (ssh). But splunk can't seem to read out some stuff from it (ex src)

The packet looks like this.

Nov 14 21:50:33 172.28.2.5 sshd[984]: Accepted password for apa from 192.168.1.5 port 42957 ssh2 tag::host=test Options| host=192.168.1.1 Wiki Options

I want the src (192.168.1.5) to appear in the "src" column.

Tags (2)
0 Karma

fisk12
Path Finder

Hmm, but say that i monitor all events in a 15 minutes interval, i have some stuff from the firewall that shows up in the "src" field. I also log some stuff from one of the linux server, and i want it to be able to show the source of the ssh stuff (or from the apache server) in the same "src" field as the firewall.

0 Karma

Genti
Splunk Employee
Splunk Employee

IFX works quite well, for me, but if it seems to be failing for you and you are unable to define the regex correctly through it, you could use a custom made regex and use the props.conf way of extracting fields. This is also very well documented at: http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Createandmaintainsearch-timefieldextraction...

0 Karma

treinke
Builder

Sounds like you want to do some field extraction. You can give Splunk the field values and then give the results a field name. This is well documented and can be found at:

http://www.splunk.com/base/Documentation/4.1.5/User/InteractiveFieldExtractionExample

There are no answer without questions
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...