This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Log files
The Splunk App for Enterprise Security creates and uses a number of log files, located in $SPLUNK_HOME/var/log/splunk. This table describes some of these files.
| Log file name | Purpose |
|---|---|
| correlationsearches_rest_handler.log | Logs calls to the correlation searches REST handler. Indicates when the correlation searches REST handler was called. |
| es_installer_controller.log | Logs calls to the Enterprise Security installer controller and provides information about activities that occurred when Enterprise Security is installed or upgraded. |
| essinstall.log | Logs actions taken by the Enterprise Security setup page and provides information about the actions taken when the Enterprise Security setup page is invoked. |
| eventgen.log | Logs actions taken by the event generator. Includes information about which samples were used and when data is generated. |
| governance_makeCSV.log | Logs activities from the script which populates the governance lookup. Indicates when the governance script has requested a refreshing of the governance lookup file. |
| governance_rest_handler.log | Logs activity from the governance REST handler which performs updates to the governance lookup file. Indicates when the governance REST handler has refreshed the governance lookup file. |
| identityLookup_base_class.log | Logs activity from the identity lookup helper classes for expanding the user-editable identity lookup file in the Splunk readable format. Indicates when the user-editable identity lookup file is in the Splunk readable format; can identify errors in the identity lookup file. |
| identityLookup_reload.log | Logs activity from the scripted input that invokes updates to the identity lookup file and indicates when the identify lookup file refresh is invoked. |
| identityLookup_rest_handler.log | Logs activity from the identity lookup REST handler that updates the identity lookup file. Indicates when the identity lookup file is updated. |
| intentions.log | core log file |
| LogReviewPopup_rest_handler.log | Logs from the REST handler responsible for providing the log review configuration settings. Contains requests for or changes to log review settings. |
| log_review_popup_module.log | Logs activity from the log review popup module (on the Incident Review page), and provides information about changes to notable events made from the Incident Review page. |
| notable_event_status.log | Logs activity from the notable event status helper classes that manage notable event statuses, and provides information about changes to the notable event statuses. |
| notable_event_suppression.log | Logs activity from the notable event suppression helper classes that manage notable event suppressions. Provides information about changes to the notable event suppressions. |
| notable_event_suppression_autoDisable.log | Logs activity from the scripted input responsible for disabling expired notable event suppressions. Indicates when expired suppressions are pruned. |
| notable_owners.log | Logs activity from the scripted input that updates the list of notable owners. Indicates when the list of notable owners is refreshed. |
| postprocess.log | Logs activity from the scheduled post-process that takes the results from a scheduled search and performs additional processing. Indicates when search results are post-processed. |
| postprocess_base_class.log | Logs activity from a post-process helper class that provides access to the post-processes. Indicates when post-processes are retrieved. |
| postprocess_rest_handler.log | Logs activity of post-process REST handler. Indicates when post-processes are accessed, updated, created, or deleted. |
| python.log | core log file |
| python_modular_input.log | Logs activity from python-based modular inputs.Indicates when python-based modular inputs are executed and provides information useful for debugging problems with modular inputs. |
| reviewstatuses_makeCSV.log | Logs activity from the script responsible for updating the review statuses lookup. Indicates when the review statuses lookup file is refreshed. |
| reviewstatuses_rest_handler.log | Logs requests to the review statuses REST handler that provides access and modifications to the review statuses. Indicates when review statuses are accessed or modified. |
| searches.log | core log file |
| suppressions_rest_handler.log | Logs requests to the suppressions REST handler that provides access and modifications to the notable event suppressions. Indicates when the notable event suppressions are accessed or modified. |
| transitioners_rest_handler.log | Logs requests to the list of people who can transition notable events statuses. Indicates when the list of notable status transitioners are requested. |
| transitions_rest_handler.log | Logs requests for access to or changes to the list of transitions. Indicates when the notable event transitions are accessed or modified. |
| tsidxstats_rest_handler.log | Logs requests to the TSIDX REST handler that provides information about TSIDX namespaces. Indicates when TSIDX namespace information is requested. |
Last modified on 24 April, 2014
| Troubleshoot your deployment |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Download manual
Feedback submitted, thanks!