Had a little fun last night. Enabled syslogd on the iPhone and sent the logs to a splunk instance via UDP/514

Process is hacking your iPhone and install ssh. Enable syslogd by the following method. (Thanks to core on #iphone)

Then edit /etc/syslog.conf and append *.* @loghost

Restart syslogd and you’re set.

Then just set splunk up to listen on 514/UDP and you have iPhone logs.

Interesting bit found? launchd, the service that starts up the daemons on the iPhone just keeps respawning services. The iPhone lacks a standard service control mechanism such as the sysv-compatible init process.

Syslogd really should either be modified or ditched for syslog-ng. As anyone who looks at logs knows, its crucial to have full, standard time stamps. This should include, HH:MM:SS:MS YYYY-MM-DD.Rfc3164 states :

5.1 Dates and Time

It has been found that some network administrators like to archive
their syslog messages over long periods of time.  It has been seen
that some original syslog messages contain a more explicit time stamp
in which a 2 character or 4 character year field immediately follows
the space terminating the TIMESTAMP.  This is not consistent with the
original intent of the order and format of the fields.  If
implementers wish to contain a more specific date and time stamp
within the transmitted message, it should be within the CONTENT
field.  Implementers may wish to utilize the ISO 8601 [7] date and
time formats if they want to include more explicit date and time
information.

Additional methods to address this desire for long-term archiving
have been proposed and some have been successfully implemented.  One
such method is that the network administrators may choose to modify
the messages stored on their collectors.  They may run a simple
script to add the year, and any other information, to each stored
record.  Alternatively, the script may replace the stored time with a
format more appropriate for the needs of the network administrators.
Another alternative has been to insert a record into the file that
contains the current year.  By association then, all other records
near that informative record should have been received in that same
year.  Neither of these however, addresses the issue of associating a
correct timezone with each record.

IMHO, this is backwards. We shouldn’t require developers to put the year in the content field or have people post process logs to include the year.. Syslog should properly write out the year.

If you’ve enabled selinux for whatever reason, you need to either disable it or configure it to allow splunk to run.

To configure selinux to allow splunk to run, you need to run the chcon command on the splunk lib directory. Here is what you type :

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null
You can also disable the check when splunk starts by adding this line to the $SPLUNK_HOME/bin/setSplunkEnv script

export SPLUNK_IGNORE_SELINUX=1

(2.1.1 only)

We’ve had a few people ask for this. Its going to be in the documentation eventually, but until then here is how you do it.

Edit $SPLUNK_HOME/etc/myinstall/search.xml

Change :

<updateCheckerBaseURL>http://quickdraw.splunk.com/js/</updateCheckerBaseURL> <updateCheckerBaseURL>0</updateCheckerBaseURL>

(2.1)

$SPLUNK_HOME/share/splunk/search/static/js/update_checker_pro.js.

At the top of the file, and within that same setup function, comment out these two lines:
createUpdateCheckerScriptlet();
setTimeout(’possiblyFallBackToCannotConnectMessage()’, 5000);

I’ve had to field a few of these requests so here goes.

Assuming you understand that by doing this, you send users and passwords in clear text and the risks involved.

There is a way to do this through http GET, but it requires modifying a bit of python.

Edit line 395 of XMLResourse.py located in $SPLUNK_HOME/lib/python2.4/site-packages/splunk/search/XMLResource.py

def render_GET(self, request) :
# backdoor so scripts can auto-login just with a GET request instead of having to craft a proper HTTP POST. Doesnt help said script keep track of the cookie, which is the hard part.
#if (”usr” in request.args) and (”pwd” in request.args) :
# return self.render_POST(request)
logger.debug(”LoginResource.render_GET”)
sessNS = request.getSession().sessionNamespaces

Uncomment out the if and return lines and restart splunk.

To log in, you would enter this URL

http://your.host/login?usr=username&pwd=password