Yes i found add-on that you mentioned.  I need passwd.sh feature. How can i configure that? I couldn't find an example of these input scripts. I have no idea how to configure those scripts.

Hi

you should just enable that input on your linux box inputs.conf.

BUT there is issue if you are using other than local accounts on /etc/passwd (like AD or ldap authentication). This passwd.sh reads only events on /etc/passwd file nothing else. It's quite common that most of users are on LDAP or AD and they are authenticated and authorise against those directories. Then there is no information of those users on local server. Probably most linux shops (more than couple of servers) do it that way.

Unfortunately Splunk_TA_nix didn't support currently anything else than local accounts.

Basically you could try to create a new check like passwd_getent.sh which is copy from passwd.sh with next modification.

CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; cat $PASSWD_FILE'

====>

CMD='eval date ; eval LD_LIBRARY_PATH=$SPLUNK_HOME/lib $SPLUNK_HOME/bin/openssl sha256 $PASSWD_FILE ; getent passwd'

This should work in most recent linux versions, but unfortunately I haven't suitable environment test it now.

Of course you need to fix check also on inputs.conf too.

r. Ismo

Forgive me but i couldn't understand what you mean. I am trying to view this content with SPL

Hi @10061987,

SPL is the Splunk language to see, group and elaborate (and many oter things) the logs, but you must already have the logs for searching.

The main question is: already have you ingested the logs from /etc/passwd or you have to ingest them?

Logs are usually ingested using an Add-On, in this case the Splunk TA for nix systems that I mentioned above or a custom Add-On.

If you already ingested them, you have to understand which index and source (or sourcetype) were used, probably index was "os" and source was "/etc/passwd".

In this case you can run a search like:

index=os source="/etc/passwd"

to extract all the values you ingested, then you should see if these logs were ingested divided by rows or in one unic file (usually by row), in this case you could run a simple search to understand if there were modifies or updates:

index=os source="/etc/passwd"
| eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats dc(_raw) AS raw_count list(timestamp) AS timestamp
| where raw_count>1

with the list of the changed values.

Ciao.

Giuseppe

I tried your search but didn't work. 0 results

Hi @10061987 ,

in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled.

If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccounts

so you can run a search like this following:

index=os sourcetype=Unix:UserAccounts
| eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats dc(_raw) AS raw_count list(timestamp) AS timestamp
| where raw_count>1

Obviously check if you stored Unix logs in the os index.

Ciao.

Giuseppe

There is another method that could be used, first allow access to /etc/passwd by Splunk (set-facl -Rdm /etc/passwd) then within the UF monitor that file. The source will be /etc/passwd and you will be able to search the passwd file and then when it changes.

Hope this helps!

Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this.

https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-with-SPL/td-...

Can you help me?