In my setup, I have two machines running Ubuntu Linux. On one, I have Splunk and the other I have running the universal forwarder. Both seem to be working. On the remote box, I run an IDS called Tripwire that stores its logs in a directory /var/lib/tripwire/report. Each report is a separate file in the dir. I added the directory using "add monitor" in the universal forwarder. What I assumed would happen is that newly added files would be logged in Splunk. When I run a tripwire check, the file is created. In Splunk, the only record is that /var/log/messages is updated with a short entry saying that tripwire has been run and the name/timestamp of the newly created file. This is not good enough, as I want to be able to see the entire report from the Splunk server and be able to search those contents (to trigger alerts). Is my understanding of what directory monitoring is Splunk does completely off? I assumed it to send a notification of any additions/changes to files in the monitored directories. Or is my implementation incorrect?
I also tried another method; since the logging of /var/log/messages worked, I created a /var/trip/tripwire/log where each tripwire report would be appended to. I added that with "add monitor" command, but this hasn't done anything either.
... View more