Search
  • danielpwilson

Splunk: Best Practice - Enriched log paths

Updated: Jun 11, 2019

Enrich your paths!

I ran into a customer who was doing this in CRON on their CentOS host. Using AIDE, a simple but powerful file integrity monitoring utility that comes with most Linux distributions.

14 * * * * /sbin/aide --check >> /var/log/aide.log

I'll start out by saying you don't always have a choice on your logging paths, names etc. but often you do like the above. As a Splunk admin if I wanted to add various search time metadata lookups, like version of the config file or Binary, I'd have to create a complex lookup table solution. Rather, in this case, I worked with the software owner to update the paths of his logs.

(I am writing this from memory apologies for any errors, let me know and Ill come back and fix them)

14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log

From here I created three extractions based on the path: product, I pulled this straight from the third parameter of the path.

version right after aide I have the actual version information in the path.

signature_version - not as obvious but by using the checksum of the config I can determine what config we used to scan the system. I could probably have used a date or something like that but I get that information by a [monitor] stanza I place on the config file itself, normally. What I prefer to know is that the config file matches our current wanted config standard.


The moral of the story is to enrich your source paths to give you extra details about the state of the log and the system, right in the path of the log when ever possible. You can always add a simple search time field extraction down the road.

#splunk #aide #source #splunktrust #bestpractice

216 views0 comments

Recent Posts

See All

Do you need to dedup when using stats?

I had to do some casual counting of sourcetypes today. In the process I was trying to decide if I needed to dedup before going to stats. It seemed to me a dedup would, in theory, pass less data to sta

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a