Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure the indexer for Linux Logs?

kymenope
Explorer
‎03-21-2023 09:34 AM

I am attempting to audit the usage of commands such as chown or chomod on my linux environment.  Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on.  There are no fields in the event viewer that show filepaths or directories of any kind.

index=myindex  comm="chmod"  | table date , host , AUID , comm , exe , source

 

Any assistance would be appreciated.  Pretty new to Splunk

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2023 11:27 AM

I suppose you're talking about data from linux audit logs. It's not as much about ingesting data into Splunk as such but more about making auditd report them in the first place. And that's a huuuuuuge topic. You can log quite a lot with auditd but of course the more you raise verbosity of your logs, the more burden you put on your system both in performance penalty of logging everything as well as storage use.

Since it's a very non Splunk-specific topic I'd suggest starting with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-sy... - it's a relatively comprehensive guide to auditd.

0 Karma
Reply

kymenope
Explorer
‎03-21-2023 11:52 AM

That is exactly what I am referencing.  In the inputs.conf I am monitoring several /var/log locations on my linux indexer but am still not seeing the results I am hoping to see. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 01:20 AM

1. "Monitoring several /var/log locations" will surely give you several different types of logs. Not only audit logs but a whole bunch of other stuff.

2. Just because you add more monitored files to your forwarder doesn't mean that your OS logs what you need.

3. Are you sure you want to monitor _your indexer_? Are other users working directly on your indexer?

0 Karma
Reply

kymenope
Explorer
‎03-22-2023 07:09 AM

There are several user's who use the search head but I'm the only one making configuration changes to the indexer.  As it stands I can see tons of data but am having trouble pulling very specific fields such as filepath, filename, or the names of objects affected by user modification.  I'll take a look at auditd and see what I can find.

 

Thanks

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 07:37 AM

No, of course people use the search head as per splunk service.

I meant working directly on the server - logging in via ssh and stuff flike that. Your users do that on the search-head? Or on the indexer???

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...