Dear Community,
I have 2 question.
First one i have index=linux and some computers. I want to track file modifications sudoers and sshd_config file. For example if someone makes a change on sshd_config i want to see this change on Splunk as a alert. I searched on the internet about this and couldn't find. Actually the real thing i want is tracking changing PermitRootLogin (sshd_config) string changes from No to Yes but as i know this is hard to detect in Splunk.
Any help would be appreciated!
You can use the fschange input to be notified when a file changes without getting data from the file itself. That input has been deprecated for quite a while so it may go away at any time, however.
Thank you for your reply. I did some research. I think i can use command parameter in Linux for tracking who edited those files. For example people is using vi, nano and echo commands for making changes on a file. Do you have any idea about this stuff?
Yes, it should be possible to parse the command log (if present on the system) to find commands that changed a given file, although it may be possible for users to obfuscate their attempts.
What about Linux add-on? Can i do this kind of jobs with that?
Possibly. There are several Linux add-ons and one or more of them may help. The "Linux Auditd Technology Add-on" (https://splunkbase.splunk.com/app/4232) looks promising, however, it only parses the data. It's up to you to get the data into Splunk.