https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384708#M112360 <P>What you need to do is perform some stimulus response testing and development. </P> <OL> <LI>ask the admin what linux distro and version they are running</LI> <LI>setup a vm for the distro and install a universal forwarder on it</LI> <LI>forward the logs to splunk enterprise (can be local install to your laptop/workstation where the vm is or wherever you have a splunk enterprise instance available for this dev work)</LI> <LI>perform the actions you want to write and alert for - plug in usbs, mount cds, etc</LI> <LI>look at the raw logs and write your alerts, during your analysis you might be able to generalize the alert such that it can be applied to more than one linux distro (would still require testing and validation)</LI> <LI>perhaps install the *nix app/ta to get some quick win parsing before starting the log analysis</LI> </OL> <P>You might also try the splunk security essentials app on splunk base, it might have some of this built already and you could just copy the searches, you would still likely benefit from testing it against a vm with proper disto.</P> Wed, 22 May 2019 22:22:26 GMT marycordova 2019-05-22T22:22:26Z https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384705#M112357 <P>I am attempting to create a search string for a Linux box which involves mounting/unmounting removable media devices (ie., CDs and USB devices) Any help would be welcome.</P> Wed, 22 May 2019 14:39:23 GMT https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384705#M112357 mvitullo 2019-05-22T14:39:23Z https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384706#M112358 <P>It's not clear what you seek. Please explain your use case.</P> Wed, 22 May 2019 14:45:50 GMT https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384706#M112358 richgalloway 2019-05-22T14:45:50Z https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384707#M112359 <P>I have a system admininistrator who requires a dashboard for their Linux OS. This dashboard is to be used for providing when any users place (mount) and/or remove (unmount) any form of removable media from the machine. The search string would look for any events where this would occur.</P> Wed, 22 May 2019 15:05:33 GMT https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384707#M112359 mvitullo 2019-05-22T15:05:33Z https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384708#M112360 <P>What you need to do is perform some stimulus response testing and development. </P> <OL> <LI>ask the admin what linux distro and version they are running</LI> <LI>setup a vm for the distro and install a universal forwarder on it</LI> <LI>forward the logs to splunk enterprise (can be local install to your laptop/workstation where the vm is or wherever you have a splunk enterprise instance available for this dev work)</LI> <LI>perform the actions you want to write and alert for - plug in usbs, mount cds, etc</LI> <LI>look at the raw logs and write your alerts, during your analysis you might be able to generalize the alert such that it can be applied to more than one linux distro (would still require testing and validation)</LI> <LI>perhaps install the *nix app/ta to get some quick win parsing before starting the log analysis</LI> </OL> <P>You might also try the splunk security essentials app on splunk base, it might have some of this built already and you could just copy the searches, you would still likely benefit from testing it against a vm with proper disto.</P> Wed, 22 May 2019 22:22:26 GMT https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384708#M112360 marycordova 2019-05-22T22:22:26Z https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384709#M112361 <P>Couple questions up front:<BR /> 1. Do you already collect logs on these linux systems?<BR /> 2. Are you forwarding these logs into splunk already?<BR /> 3. What variations of Linux are you looking to report against?</P> Thu, 23 May 2019 15:39:08 GMT https://community.splunk.com/t5/Splunk-Search/Linux-mounting-unmounting/m-p/384709#M112361 mlinde 2019-05-23T15:39:08Z