Deployment Architecture

Splunk Search Query for Logged-in Users on Linux Servers

umesh_phendarka
New Member

What is the splunk Search Query for Logged-in Users on Linux Servers
I want to have dashboard for currently logged in users in Linux Servers

Tags (2)
0 Karma

ivanreis
Builder

If you want to search for linux users current login, you should identify the linux log where this data is being send to and index this file into Splunk.
Possible steps to take:
create an input to read this log file, assign this data to an index and sourcetype
Sample:
[monitor:///var/log/.log]
disabled = false
sourcetype = secure_log
index=linux
Depends on how the user information is showing on the file, there is a potential regex usage to extract the user from the log, if splunk is not capable to extract this info.

Please see a sample of code from this link. In this sample, the index is not specified, thus I recommend to always specify an index to assigned your indexed data and to not relying on default configuration if you are running on large splunk environment to avoid performance issues
https://gosplunk.com/list-of-users-in-a-linux-environment/

Splunk potential search based on the link attached above

index=linux sourcetype=secure_log | rex "\suser^'" | stats count by User

0 Karma

broberg
Communicator

Do you have any app that keep tracks on this so you can search for it?
Or do you want to see usernames that are logged into a splunk instance running on a Linux server?

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...