All,
I had originally handles this with HUGE pile if SED commands and loops in a BASH script. But I am thinking there has to be a "Splunk" way of extracting these field.
Start timestamp: 2016-06-11 01:53:00
Summary:
Total number of files: 1116
Added files: 0
Removed files: 1
Changed files: 3
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aideCIM.log
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/aide/aide_files.log
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /var/log/aide
Size : 60 , 42
File: /var/log/aide/aide.log
Inode : 203813062 , 203815353
File: /var/log/aide/aide_files.log
Size : 8241 , 6287
Perm : -rw-r--r-- , -rw-------
Inode : 203813077 , 203813089
ACL : old = A:
----
user::rw-
group::r--
other::r--
----
D:
new = A:
----
user::rw-
group::---
other::---
----
D:
The area the challenges me the most is the multiple "changed" in a single log file. And of course the detail area. Any recommendations? Starting points.
↧