The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Problem to Index Linux Auditd

Previous Topic: Export 1 Minute and Import On Another Server  |   Next Topic: Splunk to monitor Oracle logs


Posts 1–10 of 12
1
posted by: apardo  |  posts
date: October 14, 2009
permalink

Hi everyone.

I have some problems to get full index some linux audit log.
I set a light forwarder server to report they /var/log/audit/audit.log to the central server.

The forwarder show in the log file the normal lines
example /var/log/audit/audit.log

type=PATH msg=audit(1255538594.639:261): name="/etc/file6" flags=310 inode=473281 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1255538594.639:261): cwd="/root"
type=FS_INODE msg=audit(1255538594.639:261): inode=473281 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=FS_WATCH msg=audit(1255538594.639:261): watch_inode=473281 watch="etc" filterkey=etc perm=2 perm_mask=3
type=SYSCALL msg=audit(1255538594.639:261): arch=40000003 syscall=5 success=yes exit=3 a0=bff6fc4b a1=8941 a2=1b6 a3=8941 items=1 pid=16375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"

but the Central Splunk just show me 3 of 5 lines.

type=CWD msg=audit(1255538594.639:261): cwd="/root"
type=FS_WATCH msg=audit(1255538594.639:261): watch_inode=473281 watch="etc" filterkey=etc perm=2 perm_mask=3
type=SYSCALL msg=audit(1255538594.639:261): arch=40000003 syscall=5 success=yes exit=3 a0=bff6fc4b a1=8941 a2=1b6 a3=8941 items=1 pid=16375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"

I don't know what to touch to allow to index the full log and not partially. BTW When I index a off line file as /var/log/audit/audit.1.log show me all the content.

my best regards for any help on this one.

Alvaro Pardo

2
posted by: araitz  |  posts
date: October 14, 2009
permalink

What does your inputs.conf look like on the forwarder?

3
posted by: apardo  |  posts
date: October 14, 2009
permalink

Please tell me the path of the inputs.conf

4
posted by: apardo  |  posts
date: October 14, 2009
permalink

the /opt/splunk/etc/system/local/inputs.conf

[default]
host = centos4

the /opt/splunk/etc/system/default/inputs.conf

  1. Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 4.0
  2. DO NOT EDIT THIS FILE!
  3. Please make all changes to files in $SPLUNK_HOME/etc/system/local.
  4. To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
  5. into ../local and edit there.

#

  1. This file contains possible attributes and values you can use to
  2. configure inputs, distributed inputs and file system monitoring.

[default]
index = default
host = localhost
_rcvbuf = 1572864

[monitor:$SPLUNK_HOME/var/log/splunk]
index = _internal

[batch:$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>

[fschange:$SPLUNK_HOME/etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[splunktcp]
route=has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue

[SSL]

  1. default cipher suites that splunk allows. Change this if you wish to increase the security
  2. of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

5
posted by: araitz  |  posts
date: October 14, 2009
permalink

I'm looking for the inputs.conf that tells the forwarder which files to monitor, but I wouldn't worry about that at the moment.

What search are you running on the indexer that shows you only 3 of 5 lines? What is the time picker set to? If you want, you can upload a screenshot to www.imagebin.ca and post the link to it here.

6
posted by: apardo  |  posts
date: October 15, 2009
permalink

Araitz. I resolved the problem.
I configured my inputs.conf in the Apps

"opt/splunk/etc/apps/search/local/inputs.conf"

I added the index parameters to indicate what index has to go the data.
I think the problem was the splunk started using the main index by default and auto set the sourcetype=linux_auditt

Now It's indexing on the OS index and using the sourcetype=audit.log and show all the events or at least the most important.

thanks for your help.

7
posted by: araitz  |  posts
date: October 15, 2009
permalink

Great to hear!

8
posted by: splunkles99  |  posts
date: January 19, 2010
permalink

can you post you inputs.conf - I'm having similar issues - I can forward data from my splunklightforwarder to a port on the indexer but it's not going to the index i set in the inputs.conf using

[monitor:///usr/local/apache2/logs/]
apache logs /usr/local/apache2/logs/
index = devidx
disabled = false
host = devhost

I can view the data in the main index but not my devidx

9
posted by: gkanapathy  |  posts
date: January 19, 2010
permalink

Have you
* created the new index on the indexer
* set your user role to be allowed and/or to default to search the new index?

10
posted by: gkanapathy  |  posts
date: January 19, 2010
permalink

http://www.splunk.com/base/Documentation/latest/Admin/Routeeventstospecificqueues




1   |   2    Next »