Getting Data In

How to configure the indexer for Linux Logs?

kymenope
Explorer

I am attempting to audit the usage of commands such as chown or chomod on my linux environment.  Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on.  There are no fields in the event viewer that show filepaths or directories of any kind.

index=myindex  comm="chmod"  | table date , host , AUID , comm , exe , source

 

Any assistance would be appreciated.  Pretty new to Splunk

Labels (2)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suppose you're talking about data from linux audit logs. It's not as much about ingesting data into Splunk as such but more about making auditd report them in the first place. And that's a huuuuuuge topic. You can log quite a lot with auditd but of course the more you raise verbosity of your logs, the more burden you put on your system both in performance penalty of logging everything as well as storage use.

Since it's a very non Splunk-specific topic I'd suggest starting with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-sy... - it's a relatively comprehensive guide to auditd.

0 Karma

kymenope
Explorer

That is exactly what I am referencing.  In the inputs.conf I am monitoring several /var/log locations on my linux indexer but am still not seeing the results I am hoping to see. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. "Monitoring several /var/log locations" will surely give you several different types of logs. Not only audit logs but a whole bunch of other stuff.

2. Just because you add more monitored files to your forwarder doesn't mean that your OS logs what you need.

3. Are you sure you want to monitor _your indexer_? Are other users working directly on your indexer?

0 Karma

kymenope
Explorer

There are several user's who use the search head but I'm the only one making configuration changes to the indexer.  As it stands I can see tons of data but am having trouble pulling very specific fields such as filepath, filename, or the names of objects affected by user modification.  I'll take a look at auditd and see what I can find.

 

Thanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No, of course people use the search head as per splunk service.

I meant working directly on the server - logging in via ssh and stuff flike that. Your users do that on the search-head? Or on the indexer???

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...