https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655325#M111033 <P>What about Linux add-on? Can i do this kind of jobs with that?</P> Wed, 23 Aug 2023 12:45:55 GMT 10061987 2023-08-23T12:45:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655311#M111027 <P>Dear Community,</P><P>I have 2 question.</P><P>First one i have index=linux and some computers. I want to track file modifications sudoers and sshd_config file. For example if someone makes a change on sshd_config i want to see this change on Splunk as a alert. I searched on the internet about this and couldn't find. Actually the real thing i want is tracking changing PermitRootLogin (sshd_config) string changes from No to Yes but as i know this is hard to detect in Splunk.</P><P>Any help would be appreciated!</P> Wed, 23 Aug 2023 11:46:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655311#M111027 10061987 2023-08-23T11:46:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655317#M111029 <P>You can use the <FONT face="courier new,courier">fschange</FONT> input to be notified when a file changes without getting data from the file itself.&nbsp; That input has been deprecated for quite a while so it may go away at any time, however.</P> Wed, 23 Aug 2023 12:09:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655317#M111029 richgalloway 2023-08-23T12:09:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655319#M111030 <P>Thank you for your reply. I did some research. I think i can use command parameter in Linux for tracking who edited those files. For example people is using vi, nano and echo commands for making changes on a file. Do you have any idea about this stuff?</P> Wed, 23 Aug 2023 12:11:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655319#M111030 10061987 2023-08-23T12:11:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655323#M111032 <P>Yes, it should be possible to parse the command log (if present on the system) to find commands that changed a given file, although it may be possible for users to obfuscate their attempts.</P> Wed, 23 Aug 2023 12:24:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655323#M111032 richgalloway 2023-08-23T12:24:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655325#M111033 <P>What about Linux add-on? Can i do this kind of jobs with that?</P> Wed, 23 Aug 2023 12:45:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655325#M111033 10061987 2023-08-23T12:45:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655326#M111034 <P>Possibly.&nbsp; There are several Linux add-ons and one or more of them may help.&nbsp; The "Linux Auditd Technology Add-on" (<A href="https://splunkbase.splunk.com/app/4232" target="_blank">https://splunkbase.splunk.com/app/4232</A>) looks promising, however, it only parses the data.&nbsp; It's up to you to get the data into Splunk.</P> Wed, 23 Aug 2023 13:12:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-track-file-modification-on-a-Linux-server-as-an-Alert/m-p/655326#M111034 richgalloway 2023-08-23T13:12:58Z