Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Support encoded TTY from audit.log in Linux Auditd...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support encoded TTY from audit.log in Linux Auditd app
Hi Doug,
We've recently noticed that despite dutifully collecting TTY keypresses (using pam) that Debian/Ubuntu doesn't product USER_TTY audit events. The OSes seem to only produce TTY events, which are hex encoded.
(We're still trying to find why/how RHEL produces (encoded) TTY and (decoded) USER_TTY events for the same keypress log event.)
Would you be willing to change the way the "User TTY" feature works in your app please? Instead of being strictly "USER_TTY" ideally it would use the "TTY" filter key AND have Splunk decode the hex strings so they remain human-readable in the output of your app?
Thank you muchly!
EDIT: We're just researching the difference between USER_TTY and TTY filter keys in the audit log. It seems I may have misunderstood them and one is for non-root keystrokes, the other for root only. If you have any knowledge of Linux kernel auditing for keypresses, using pam_tty_audit.so please help me understand 🙂 Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested on Ubuntu today and also found that only type="TTY" was produced.
(I added the "session required pam_tty_audit.so enable=*" to /etc/pam.d/common-session as /etc/pam.d/password-auth-ac did not seem to get picked up. )
I got the "User TTY" dashboard working fine by editing the dash and setting:
type="USER_TTY" OR type="TTY"
I also added the comm field to the table as that provides additional good insight into what's going on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you still doing this or is there a better way? This kind of works, but its a lot less clean than the root logs. For example, the arrow keys log, it adds spaces between letters when a user tabs. I would love to get it to look exactly as the root logs do for non-root users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.
I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
