- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure the indexer for Linux Logs?
I am attempting to audit the usage of commands such as chown or chomod on my linux environment. Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on. There are no fields in the event viewer that show filepaths or directories of any kind.
index=myindex comm="chmod" | table date , host , AUID , comm , exe , source
Any assistance would be appreciated. Pretty new to Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose you're talking about data from linux audit logs. It's not as much about ingesting data into Splunk as such but more about making auditd report them in the first place. And that's a huuuuuuge topic. You can log quite a lot with auditd but of course the more you raise verbosity of your logs, the more burden you put on your system both in performance penalty of logging everything as well as storage use.
Since it's a very non Splunk-specific topic I'd suggest starting with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-sy... - it's a relatively comprehensive guide to auditd.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is exactly what I am referencing. In the inputs.conf I am monitoring several /var/log locations on my linux indexer but am still not seeing the results I am hoping to see.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. "Monitoring several /var/log locations" will surely give you several different types of logs. Not only audit logs but a whole bunch of other stuff.
2. Just because you add more monitored files to your forwarder doesn't mean that your OS logs what you need.
3. Are you sure you want to monitor _your indexer_? Are other users working directly on your indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several user's who use the search head but I'm the only one making configuration changes to the indexer. As it stands I can see tons of data but am having trouble pulling very specific fields such as filepath, filename, or the names of objects affected by user modification. I'll take a look at auditd and see what I can find.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, of course people use the search head as per splunk service.
I meant working directly on the server - logging in via ssh and stuff flike that. Your users do that on the search-head? Or on the indexer???
