topic splunk client ssh in Monitoring Splunk

splunk client ssh

obadr56 — Mon, 03 May 2021 22:24:54 GMT

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding. Now I need help with how to store client ssh login and logoff record?.

Re: splunk client ssh

richgalloway — Mon, 03 May 2021 23:14:07 GMT

First, there's rarely a need to install Splunk and a universal forwarder on the same server. Install one or the other.

Second, please describe your use case in more detail. What problem are you trying to solve?

Re: splunk client ssh

obadr56 — Mon, 03 May 2021 23:19:41 GMT

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

Re: splunk client ssh

obadr56 — Mon, 03 May 2021 23:38:11 GMT

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise. I am new to Splunk so be patient with me thanks a lot for helping.

Re: splunk client ssh

richgalloway — Tue, 04 May 2021 12:15:33 GMT

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance. Do that by adding a monitor stanza to the inputs.conf file on each instance.

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

Re: splunk client ssh

ephemeric — Mon, 23 Aug 2021 19:01:31 GMT

It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.

To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.

If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.

You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.