Vendor - Nix Generic¶
Product - All Products¶
Many appliance vendor utilize Linux and BSD distributions as the foundation of the solution. When configured to log via syslog, these devices’ OS logs (from a security perspective) can be monitored using the common Splunk Nix TA.
Note: This is NOT a replacement for or alternative to the Splunk Universal forwarder on Linux and Unix. For general-purpose server applications, the Universal Forwarder offers more comprehensive collection of events and metrics appropriate for both security and operations use cases.
| Ref | Link |
|---|---|
| Splunk Add-on | https://splunkbase.splunk.com/app/833/ |
Sourcetypes¶
| sourcetype | notes |
|---|---|
| nix:syslog | None |
Sourcetype and Index Configuration¶
| key | sourcetype | index | notes |
|---|---|---|---|
| nix_syslog | nix:syslog | osnix | none |
Filter type¶
MSG Parse: This filter parses message content
Setup and Configuration¶
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
Options¶
| Variable | default | description |
|---|---|---|
| SC4S_ARCHIVE_NIX_SYSLOG | no | Enable archive to disk for this specific source |
| SC4S_DEST_NIX_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification¶
An active proxy will generate frequent events. Use the following search to validate events are present per source device
index=osnix sourcetype=nix:syslog | stats count by host