topic Re: Seeking assistance on configuring the indexer for Linux Logs in Getting Data In

How to configure the indexer for Linux Logs?

kymenope — Wed, 22 Mar 2023 20:17:56 GMT

I am attempting to audit the usage of commands such as chown or chomod on my linux environment. Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on. There are no fields in the event viewer that show filepaths or directories of any kind.

index=myindex comm="chmod" | table date , host , AUID , comm , exe , source

Any assistance would be appreciated. Pretty new to Splunk

Re: Seeking assistance on configuring the indexer for Linux Logs

PickleRick — Tue, 21 Mar 2023 18:27:53 GMT

I suppose you're talking about data from linux audit logs. It's not as much about ingesting data into Splunk as such but more about making auditd report them in the first place. And that's a huuuuuuge topic. You can log quite a lot with auditd but of course the more you raise verbosity of your logs, the more burden you put on your system both in performance penalty of logging everything as well as storage use.

Since it's a very non Splunk-specific topic I'd suggest starting with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing - it's a relatively comprehensive guide to auditd.

Re: Seeking assistance on configuring the indexer for Linux Logs

kymenope — Tue, 21 Mar 2023 18:52:53 GMT

That is exactly what I am referencing. In the inputs.conf I am monitoring several /var/log locations on my linux indexer but am still not seeing the results I am hoping to see.

Re: Seeking assistance on configuring the indexer for Linux Logs

PickleRick — Wed, 22 Mar 2023 08:20:11 GMT

1. "Monitoring several /var/log locations" will surely give you several different types of logs. Not only audit logs but a whole bunch of other stuff.

2. Just because you add more monitored files to your forwarder doesn't mean that your OS logs what you need.

3. Are you sure you want to monitor _your indexer_? Are other users working directly on your indexer?

Re: Seeking assistance on configuring the indexer for Linux Logs

kymenope — Wed, 22 Mar 2023 14:09:30 GMT

There are several user's who use the search head but I'm the only one making configuration changes to the indexer. As it stands I can see tons of data but am having trouble pulling very specific fields such as filepath, filename, or the names of objects affected by user modification. I'll take a look at auditd and see what I can find.

Thanks

Re: Seeking assistance on configuring the indexer for Linux Logs

PickleRick — Wed, 22 Mar 2023 14:37:17 GMT

No, of course people use the search head as per splunk service.

I meant working directly on the server - logging in via ssh and stuff flike that. Your users do that on the search-head? Or on the indexer???