Splunk Base : SplunkAdministration : #3420

Problem to Index Linux Auditd

splunkles99 — Mon, 25 Jan 2010 08:16:31 PST

OK cracked it

Not sure if i's a bug or not but I was configuring the tcp port vi a the data inputs link on the mgmt links on the receiver - just did it through the set up Forwarders and Receivers tab instead and it worked straight away.

Problem to Index Linux Auditd

splunkles99 — Mon, 25 Jan 2010 06:29:55 PST

Yep the index is there and I have mapped the admin user to it. I log on with the admin user account, but there is no data in the index to search as it's all in the main index - so that proves all comnnectivity is working - I can generate the logs - snoop the interface - see the data getting into the mainindex - view the data in the main index but I want it in the devidx index.

What I'm trying to achieve is logging all data forwarded from a remote /var/log/ to a specific index - I don't think routing specific events to specific queues is what I'm after but will take a look - thanks

Problem to Index Linux Auditd

gkanapathy — Tue, 19 Jan 2010 20:26:01 PST

http://www.splunk.com/base/Documentation/latest/Admin/Routeeventstospecificqueues

Problem to Index Linux Auditd

gkanapathy — Tue, 19 Jan 2010 20:09:27 PST

Have you
* created the new index on the indexer
* set your user role to be allowed and/or to default to search the new index?

Problem to Index Linux Auditd

splunkles99 — Tue, 19 Jan 2010 07:24:06 PST

can you post you inputs.conf - I'm having similar issues - I can forward data from my splunklightforwarder to a port on the indexer but it's not going to the index i set in the inputs.conf using

[monitor:///usr/local/apache2/logs/]
apache logs /usr/local/apache2/logs/
index = devidx
disabled = false
host = devhost

I can view the data in the main index but not my devidx

Problem to Index Linux Auditd

araitz — Thu, 15 Oct 2009 07:48:46 PDT

Great to hear!

Problem to Index Linux Auditd

apardo — Thu, 15 Oct 2009 04:54:24 PDT

Araitz. I resolved the problem.
I configured my inputs.conf in the Apps

"opt/splunk/etc/apps/search/local/inputs.conf"

I added the index parameters to indicate what index has to go the data.
I think the problem was the splunk started using the main index by default and auto set the sourcetype=linux_auditt

Now It's indexing on the OS index and using the sourcetype=audit.log and show all the events or at least the most important.

thanks for your help.

Problem to Index Linux Auditd

araitz — Wed, 14 Oct 2009 15:17:13 PDT

I'm looking for the inputs.conf that tells the forwarder which files to monitor, but I wouldn't worry about that at the moment.

What search are you running on the indexer that shows you only 3 of 5 lines? What is the time picker set to? If you want, you can upload a screenshot to www.imagebin.ca and post the link to it here.

Problem to Index Linux Auditd

apardo — Wed, 14 Oct 2009 12:52:41 PDT

the /opt/splunk/etc/system/local/inputs.conf

[default]
host = centos4

the /opt/splunk/etc/system/default/inputs.conf

Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 4.0
DO NOT EDIT THIS FILE!
Please make all changes to files in $SPLUNK_HOME/etc/system/local.
To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
into ../local and edit there.

This file contains possible attributes and values you can use to
configure inputs, distributed inputs and file system monitoring.

[default]
index = default
host = localhost
_rcvbuf = 1572864

[monitor:$SPLUNK_HOME/var/log/splunk]
index = _internal

[batch:$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>

[fschange:$SPLUNK_HOME/etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[splunktcp]
route=has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security
of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Problem to Index Linux Auditd

apardo — Wed, 14 Oct 2009 12:03:08 PDT

Please tell me the path of the inputs.conf

Problem to Index Linux Auditd

araitz — Wed, 14 Oct 2009 11:10:59 PDT

What does your inputs.conf look like on the forwarder?

Problem to Index Linux Auditd

apardo — Wed, 14 Oct 2009 10:09:35 PDT

Hi everyone.

I have some problems to get full index some linux audit log.
I set a light forwarder server to report they /var/log/audit/audit.log to the central server.

The forwarder show in the log file the normal lines
example /var/log/audit/audit.log

type=PATH msg=audit(1255538594.639:261): name="/etc/file6" flags=310 inode=473281 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1255538594.639:261): cwd="/root"
type=FS_INODE msg=audit(1255538594.639:261): inode=473281 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=FS_WATCH msg=audit(1255538594.639:261): watch_inode=473281 watch="etc" filterkey=etc perm=2 perm_mask=3
type=SYSCALL msg=audit(1255538594.639:261): arch=40000003 syscall=5 success=yes exit=3 a0=bff6fc4b a1=8941 a2=1b6 a3=8941 items=1 pid=16375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"

but the Central Splunk just show me 3 of 5 lines.

type=CWD msg=audit(1255538594.639:261): cwd="/root"
type=FS_WATCH msg=audit(1255538594.639:261): watch_inode=473281 watch="etc" filterkey=etc perm=2 perm_mask=3
type=SYSCALL msg=audit(1255538594.639:261): arch=40000003 syscall=5 success=yes exit=3 a0=bff6fc4b a1=8941 a2=1b6 a3=8941 items=1 pid=16375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"

I don't know what to touch to allow to index the full log and not partially. BTW When I index a off line file as /var/log/audit/audit.1.log show me all the content.

my best regards for any help on this one.

Alvaro Pardo