Deployment Architecture

Are there related fields between sudo log and LDAP log? I want to monitor daily Linux sudo activity.

vicky05ssr04
Engager

I have a requirement for daily report of Linux sudo activity.

I came to know that the LDAP log will tell me if the user successfully has access, and sudo log will tell me what the execute request is and where?

Can I relate both logs using a common keyword or something to fetch results of both? I don't see one. Is there any approach tried by anyone on this, please let me know asap!

0 Karma

jfraiberg
Communicator

This really depends on how you are using ldap and sudo in your environment. Do the usernames match between the 2 log sources? If they do you should be able to easily correlate the 2. If they are not the same you could create a mapping between the 2 and use a lookup table or kvstore to facilitate the correlation.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...