All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Support encoded TTY from audit.log in Linux Auditd app

Intermediate
Path Finder
‎01-08-2020 07:06 PM

Hi Doug,

We've recently noticed that despite dutifully collecting TTY keypresses (using pam) that Debian/Ubuntu doesn't product USER_TTY audit events. The OSes seem to only produce TTY events, which are hex encoded.
(We're still trying to find why/how RHEL produces (encoded) TTY and (decoded) USER_TTY events for the same keypress log event.)

Would you be willing to change the way the "User TTY" feature works in your app please? Instead of being strictly "USER_TTY" ideally it would use the "TTY" filter key AND have Splunk decode the hex strings so they remain human-readable in the output of your app?

Thank you muchly!

EDIT: We're just researching the difference between USER_TTY and TTY filter keys in the audit log. It seems I may have misunderstood them and one is for non-root keystrokes, the other for root only. If you have any knowledge of Linux kernel auditing for keypresses, using pam_tty_audit.so please help me understand 🙂 Thanks!

0 Karma
Reply

ivarny
Path Finder
‎07-17-2021 11:50 AM

I tested on Ubuntu today and also found that only type="TTY" was produced.
(I added the "session required pam_tty_audit.so enable=*" to /etc/pam.d/common-session as /etc/pam.d/password-auth-ac did not seem to get picked up. )

I got the "User TTY" dashboard working fine by editing the dash and setting:
type="USER_TTY" OR type="TTY"
I also added the comm field to the table as that provides additional good insight into what's going on.

0 Karma
Reply

xr4nd0mx
Observer
‎03-08-2023 01:01 PM

Are you still doing this or is there a better way? This kind of works, but its a lot less clean than the root logs. For example, the arrow keys log, it adds spaces between letters when a user tabs. I would love to get it to look exactly as the root logs do for non-root users.

0 Karma
Reply

Intermediate
Path Finder
‎01-09-2020 05:23 PM

It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.

I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...