Splunk: Best Practice - Enriched log paths
Updated: Jun 11, 2019
Enrich your paths!
I ran into a customer who was doing this in CRON on their CentOS host. Using AIDE, a simple but powerful file integrity monitoring utility that comes with most Linux distributions.
14 * * * * /sbin/aide --check >> /var/log/aide.log
I'll start out by saying you don't always have a choice on your logging paths, names etc. but often you do like the above. As a Splunk admin if I wanted to add various search time metadata lookups, like version of the config file or Binary, I'd have to create a complex lookup table solution. Rather, in this case, I worked with the software owner to update the paths of his logs.
(I am writing this from memory apologies for any errors, let me know and Ill come back and fix them)
14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log
From here I created three extractions based on the path: product, I pulled this straight from the third parameter of the path.
version right after aide I have the actual version information in the path.
signature_version - not as obvious but by using the checksum of the config I can determine what config we used to scan the system. I could probably have used a date or something like that but I get that information by a [monitor] stanza I place on the config file itself, normally. What I prefer to know is that the config file matches our current wanted config standard.
The moral of the story is to enrich your source paths to give you extra details about the state of the log and the system, right in the path of the log when ever possible. You can always add a simple search time field extraction down the road.