Refine your search:

Can I Splunk my wtmp files?

5
1

The file /var/log/wtmp is where most *nix systems keep track of all logins and logouts to the system.

The file is not plain text, however, and contains binary data :

[root@dirtysanchez ~]# file /var/log/wtmp  
/var/log/wtmp: data

How can Splunk index the contents of that file?

asked 20 Aug '10, 13:20

hexx's gravatar image

hexx ♦
7.6k1941
accept rate: 51%

edited 06 Sep '10, 03:37

gkanapathy's gravatar image

gkanapathy ♦
26.5k1622
2 Answers:
oldestnewestmost voted
8

The first thing to do is to convert the file contents to text. For /var/log/wtmp, this will typically be achieved using the "who" and "last" commands, depending on if you want historical data (last) or current data (who).

Then, there are two approaches you can take :

  • Set up a scripted input calling a shell script that executes "who" or "last" with the options you need and that will index the generated output. This is the simplest approach.

  • Write a shell script external to Splunk that periodically reads /var/log/wtmp and writes it's output to a file monitored by Splunk. This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up.

link

answered 20 Aug '10, 13:35

hexx's gravatar image

hexx ♦
7.6k1941
accept rate: 51%

edited 20 Aug '10, 14:02

3

It's somewhat easier to convert wtmp to text using fwtmp, which is specifically designed for the purpose. On solaris, it's in /usr/lib/acct; on most linux systems, it's part of the acct (GNU account tools) package.

fwtmp takes wtmp(x) on standard input and produces lines like this on stdout:

pde                                   sshd                                 12173  8 0000 0000 1282333385 148991 0 0  Fri Aug 20 19:43:05 2010
pde                                   sshd                                 14663  7 0000 0000 1282340448 321800 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010
pde                              ts/7 pts/7                                14667  7 0000 0000 1282340448 515234 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010

Since the wtmp format is well documented, it should be a fairly trivial exercise to extract the information you require from the text representation of the records.

link

answered 20 Aug '10, 22:04

pde's gravatar image

pde
430111
accept rate: 40%

edited 21 Aug '10, 02:10

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×328
×89

Asked: 20 Aug '10, 13:20

Seen: 1,554 times

Last updated: 06 Sep '10, 03:37

Related questions

Scripted wtmp input rejected as Binary file

Splunk not receiving any events from custom (scripted) inputs

Why can't I index my wtmp, lastlog, etc files?

Python scripted inputs run with the wrong version of Python in Splunk 4.1.2

Splunk stopped indexing some files

Troubleshooting Scripted Inputs

Scripted Inputs via Separate Outputs

Splunk not indexing modified files

Line limit for scripted inputs?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.