Skip to main content
 
 
Splunk Lantern

Linux and Unix

 

Linux is the most-used open source operating system. The code used to create Linux is free and available to the public to view, edit, and contribute to.  As an operating system, Linux is software that sits underneath all of the other software on a computer, receiving requests from those programs and relaying these requests to the computer’s hardware. Unlike other operating systems, there are many distributions of Linux. This means that the core components of Linux are customizable. Similar to other operating systems, there are different types of logs can you get from Linux.

  • Security logs. Linux security logs are a source of data that records information related to login attempts (success and failure), elevated privileges, and other security events as defined by the system’s audit policy. Security data is collected and written to the plain text log files hosted within the operating system. These logs are one of the primary tools used by security analysts to detect and investigate unauthorized activity and to troubleshoot access problems. The Linux security logs contain important events relating to applications, system services, and the operating system. The events describe errors, warnings or details about activity taking place on each system. This information is used to monitor and troubleshoot each system. In the Common Information Model, Linux security logs can be mapped to any of the following data models, depending on the field: EndpointNetwork SessionsInventoryUpdatesChangePerformance
  • Operating logs. Linux operating system logs are a source of data that reports on state changes in a UNIX or Linux variant operating system. This includes changes to applications, service state, and hardware events. Data collected from these different elements are written to the plain text log files hosted within the operating system. These events are used by operations and development teams to troubleshoot and mitigate errors. The operating system logs contain important events relating to applications, system services, and the operating system. The events describe errors, warnings, and other information about activity taking place on each system. This information is used to monitor and troubleshoot each system. In the Common Information Model, Linux operating system logs can be mapped to any of the following data models, depending on the field: EndpointInventoryUpdatesChangePerformanceNetwork Sessions

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: