All Apps and Add-ons

Splunk Add-on for Unix and Linux: Which inputs should I enable to monitor audit/auth logs in Linux systems?

Communicator

Hi

I'm setting up forwarders for a number of Linux systems. I will be monitoring user login/authentication and audits to those servers. At first I was logging logs from /var/log/secure and /var/log/messages. Now I was thinking of using the nix app with enabling the following inputs instead of during my recent setup.

The following is the list of inputs I will be enabling.

  • Information of all users currently logged in via the who command (who.sh scripted input).
  • Audit information recorded by the auditd daemon to /var/log/audit/audit.log (rlog.sh scripted input).
  • Last login times for system accounts via the last command (lastlog.sh scripted input).

Will the information of the inputs suffice our case? Just want to know if also anyone have a same setup.

0 Karma

SplunkTrust
SplunkTrust

Id still monitor /var/log/secure and /var/log/messages too but put them in a separate index. Then compare your indexes after a while and see if they both contain what you're looking for. If they each have a little of something you're looking for, keep your current setup and the new unix/linux add on's inputs as well.

Cheers,
JKat54

0 Karma