Deployment Architecture

Are there related fields between sudo log and LDAP log? I want to monitor daily Linux sudo activity.

vicky05ssr04
Engager

I have a requirement for daily report of Linux sudo activity.

I came to know that the LDAP log will tell me if the user successfully has access, and sudo log will tell me what the execute request is and where?

Can I relate both logs using a common keyword or something to fetch results of both? I don't see one. Is there any approach tried by anyone on this, please let me know asap!

0 Karma

jfraiberg
Communicator

This really depends on how you are using ldap and sudo in your environment. Do the usernames match between the 2 log sources? If they do you should be able to easily correlate the 2. If they are not the same you could create a mapping between the 2 and use a lookup table or kvstore to facilitate the correlation.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...