Generic *NIX
Many appliance vendor utilize Linux and BSD distributions as the foundation of the solution. When configured to log via
syslog, these devices’ OS logs (from a security perspective) can be monitored using the common Splunk Nix TA.
Note: This is NOT a replacement for or alternative to the Splunk Universal forwarder on Linux and Unix. For general-purpose
server applications, the Universal Forwarder offers more comprehensive collection of events and metrics appropriate for both
security and operations use cases.
Sourcetypes
| sourcetype |
notes |
| nix:syslog |
None |
Sourcetype and Index Configuration
| key |
sourcetype |
index |
notes |
| nix_syslog |
nix:syslog |
osnix |
none |
Filter type
MSG Parse: This filter parses message content
Setup and Configuration
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
Options
| Variable |
default |
description |
| SC4S_ARCHIVE_NIX_SYSLOG |
no |
Enable archive to disk for this specific source |
| SC4S_DEST_NIX_SYSLOG_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |