Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Linux input for process monitoring (similar to Windows Sysmon)

ejwade
Contributor
‎08-30-2019 09:36 AM

We're looking for a tool that does the same thing as Windows Sysmon (Sysinternals), but for Linux. The problem with ps and other process monitoring inputs in the Linux TA is the interval. If a process launches and closely quickly, an interval capture will missed it. We need something that will write a log whenever a process is created, preferably with the command launching the process.

Any input is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

larchinal75
Explorer
‎11-15-2019 09:42 AM

Good afternoon,

I did some brief research and testing with Linux systems for the same reasons; We were looking for command-line capture and process execution within our Linux environment. The best we came up with is Auditd. This provided close to the same results as Sysmon (i.e. if someone ran a command in command-line). The way it operates though is different to Sysmon where when you configured Sysmon and installed it, it began logging right away. With Auditd we had to create "rules" to look for activity.

I hope this answers your question.

Have a wonderful day!

View solution in original post

Reply
Solved! Jump to solution
Solution

larchinal75
Explorer
‎11-15-2019 09:42 AM

Good afternoon,

I did some brief research and testing with Linux systems for the same reasons; We were looking for command-line capture and process execution within our Linux environment. The best we came up with is Auditd. This provided close to the same results as Sysmon (i.e. if someone ran a command in command-line). The way it operates though is different to Sysmon where when you configured Sysmon and installed it, it began logging right away. With Auditd we had to create "rules" to look for activity.

I hope this answers your question.

Have a wonderful day!

Reply
Solved! Jump to solution

larchinal75
Explorer
‎11-15-2019 09:51 AM

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-def...

https://www.linux.com/tutorials/customized-file-monitoring-auditd/

Here are some references that I have come across regarding auditd and creating the rules.

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-02-2019 01:12 AM

You can achieve this using Linux auditd, please check with your Linux system administrator to configure auditd on Linux server and then monitor auditd.log file in Splunk.

Reply
Solved! Jump to solution

ejwade
Contributor
‎09-03-2019 09:44 AM

@harsmarvania57 That's good advice. We've been exploring auditd; specifically EXEVCE system calls. Thanks for the suggestion!

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top