Getting Data In

Can I Splunk my wtmp files?

hexx
Splunk Employee
Splunk Employee

The file /var/log/wtmp is where most *nix systems keep track of all logins and logouts to the system.

The file is not plain text, however, and contains binary data :

[root@dirtysanchez ~]# file /var/log/wtmp  
/var/log/wtmp: data

How can Splunk index the contents of that file?

1 Solution

hexx
Splunk Employee
Splunk Employee

The first thing to do is to convert the file contents to text. For /var/log/wtmp, this will typically be achieved using the "who" and "last" commands, depending on if you want historical data (last) or current data (who).

Then, there are two approaches you can take :

  • Set up a scripted input calling a shell script that executes "who" or "last" with the options you need and that will index the generated output. This is the simplest approach.

  • Write a shell script external to Splunk that periodically reads /var/log/wtmp and writes it's output to a file monitored by Splunk. This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up.

View solution in original post

pde
Path Finder

It's somewhat easier to convert wtmp to text using fwtmp, which is specifically designed for the purpose. On solaris, it's in /usr/lib/acct; on most linux systems, it's part of the acct (GNU account tools) package.

fwtmp takes wtmp(x) on standard input and produces lines like this on stdout:

pde                                   sshd                                 12173  8 0000 0000 1282333385 148991 0 0  Fri Aug 20 19:43:05 2010
pde                                   sshd                                 14663  7 0000 0000 1282340448 321800 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010
pde                              ts/7 pts/7                                14667  7 0000 0000 1282340448 515234 0 39 adsl-68-92-27-201.dsl.rcsntx.swbell.net Fri Aug 20 21:40:48 2010

Since the wtmp format is well documented, it should be a fairly trivial exercise to extract the information you require from the text representation of the records.

hexx
Splunk Employee
Splunk Employee

The first thing to do is to convert the file contents to text. For /var/log/wtmp, this will typically be achieved using the "who" and "last" commands, depending on if you want historical data (last) or current data (who).

Then, there are two approaches you can take :

  • Set up a scripted input calling a shell script that executes "who" or "last" with the options you need and that will index the generated output. This is the simplest approach.

  • Write a shell script external to Splunk that periodically reads /var/log/wtmp and writes it's output to a file monitored by Splunk. This can be more elaborate since "last" doesn't have tailing or time span selection capabilities, but advanced shell scripting and cron can be used to set this up.

Hemnaath
Motivator

Hi Hexx, Got a request to monitor the wtmpx file in splunk, but I am not sure how to create a script to read and write the data from wtmpx file from /var/adm/wtmpx and output the data into a text file, which splunk can read it. If you can guide me on creating a script, it will be great help.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...