Hello,
I have two issues with the Splunk app for EMC Isilon file system auditing;
1. I believe the app is meant to automatically lookup the fail_code and SID in the respective lookup tables and create a field called description and Name respectively, however, I don't see that in my logs when I run a search? Is this meant to happen automatically, or do I have to write a search to check the lookup table manually?
2. We are sending the logs through syslog to a file and monitoring the file, however, in the file we have multiple logs in there, I noticed occasionally the App doesn't parse each log in the file. Instead, it ingests the whole file as a log and have multiple logs in it which are not parsed.
Any help would be appreciated.
Thanks,
↧