From Splunk Wiki

Jump to: navigation, search

Index Tripwire logs

Tripwire is a host based IDS that runs on mulitple platforms. In our installation we ran Tripwire on RHEL 5, HP-UX 11, and Windows 2003. For the most part Tripwire keeps logs with its own database model. Splunk was unable to reach those logs in the Oracle datastore. As a work around we install Splunk light forwarder on the Windows box that was running the Tripwire Console and configured Tripwire to export its logs every hour. You can configure Tripwire to dump its logs every hour under the "Task" menu of the web console. There is a default "Archive Log Messages" task you will just need to modify the run time from the default of a month to hourly.

Splunk light forwarder (inputs.conf) was configured to monitor the default tripwire log export directory:

[monitor://C:\Program Files\Tripwire\TE\Server\data\log\]

disabled = false

_whitelist = \.xml$

sourcetype = tripwire_audit

Splunk index server (props.conf) was configured to break up the events by XML bracket statements and look for proper timestamp.


MUST_NOT_BREAK_AFTER = <LogMessage[^s]

MUST_BREAK_AFTER = </LogMessage>


TIME_PREFIX = /<Timestamp displayvalue="([0-9]|1[0-2])\/([0-9]|[1-3][0-9])\/[0-9][0-9]\s(1[0-2]|[0-9])\:[0-9][0-9]\s[AP]M">/g


Jasonnadeau 06:47, 20 July 2009 (PDT)

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk