Hi everyone,
I need to know the last activity of the command splunk restart. Is there a way I can find the username of the person correspondingly running the command?
if on linux - additionally you can try to correlate the output of the "last" command, which lists all linux users with corresponed login and logout times, with the time when the "./splunk restart" command was issues. That will not work if you have several simultaniously logged users. I think you need TA_nix Addon to get this info.
On Windows you need to check security log to get similar information (using Addon for Windows)
Hi @ayushmaan,
you can find the Splunk restart via GUI in _internal using a simple search like this:
index=_internal restart
result will be something like this where admin is the user that launched the command:
127.0.0.1 - admin [23/Mar/2020:13:54:43.703 +0100] "GET /services/messages/restart_required HTTP/1.0" 404 159 - - - 1ms
For the restart via CLI, the only way is to read the history files on Linux and search for the command
./splunk restart
Ciao.
Giuseppe
Hey,
Thanks for the quick response but does this tell us the info of the user who used the command "./splunk restart"? That is the main ask.
Hi @ayushmaan,
To have the user that used the CLI command, you have to take the Linux logs of history.
If you see in the Splunk_TA_nix App there's in input.conf the configuration to take these logs and to see the user that executed:
### bash history
[monitor:///root/.bash_history]
disabled = 0
sourcetype = bash_history
index = os
[monitor:///home/.../.bash_history]
disabled = 0
sourcetype = bash_history
index = os
The folder before .bash_history is the username of the user that launched the CLI command.
Ciao.
Giuseppe