Getting Data In

How to track file modification on a Linux server as an Alert?

10061987
Engager

Dear Community,

I have 2 question.

First one i have index=linux and some computers. I want to track file modifications sudoers and sshd_config file. For example if someone makes a change on sshd_config i want to see this change on Splunk as a alert. I searched on the internet about this and couldn't find. Actually the real thing i want is tracking changing PermitRootLogin (sshd_config) string changes from No to Yes but as i know this is hard to detect in Splunk.

Any help would be appreciated!

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use the fschange input to be notified when a file changes without getting data from the file itself.  That input has been deprecated for quite a while so it may go away at any time, however.

---
If this reply helps you, Karma would be appreciated.
0 Karma

10061987
Engager

Thank you for your reply. I did some research. I think i can use command parameter in Linux for tracking who edited those files. For example people is using vi, nano and echo commands for making changes on a file. Do you have any idea about this stuff?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, it should be possible to parse the command log (if present on the system) to find commands that changed a given file, although it may be possible for users to obfuscate their attempts.

---
If this reply helps you, Karma would be appreciated.
0 Karma

10061987
Engager

What about Linux add-on? Can i do this kind of jobs with that?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Possibly.  There are several Linux add-ons and one or more of them may help.  The "Linux Auditd Technology Add-on" (https://splunkbase.splunk.com/app/4232) looks promising, however, it only parses the data.  It's up to you to get the data into Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...