Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the indexer for Linux Logs?

kymenope
Explorer
‎03-21-2023 09:34 AM

I am attempting to audit the usage of commands such as chown or chomod on my linux environment.  Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on.  There are no fields in the event viewer that show filepaths or directories of any kind.

index=myindex  comm="chmod"  | table date , host , AUID , comm , exe , source

 

Any assistance would be appreciated.  Pretty new to Splunk

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2023 11:27 AM

I suppose you're talking about data from linux audit logs. It's not as much about ingesting data into Splunk as such but more about making auditd report them in the first place. And that's a huuuuuuge topic. You can log quite a lot with auditd but of course the more you raise verbosity of your logs, the more burden you put on your system both in performance penalty of logging everything as well as storage use.

Since it's a very non Splunk-specific topic I'd suggest starting with https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-sy... - it's a relatively comprehensive guide to auditd.

0 Karma
Reply

kymenope
Explorer
‎03-21-2023 11:52 AM

That is exactly what I am referencing.  In the inputs.conf I am monitoring several /var/log locations on my linux indexer but am still not seeing the results I am hoping to see. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 01:20 AM

1. "Monitoring several /var/log locations" will surely give you several different types of logs. Not only audit logs but a whole bunch of other stuff.

2. Just because you add more monitored files to your forwarder doesn't mean that your OS logs what you need.

3. Are you sure you want to monitor _your indexer_? Are other users working directly on your indexer?

0 Karma
Reply

kymenope
Explorer
‎03-22-2023 07:09 AM

There are several user's who use the search head but I'm the only one making configuration changes to the indexer.  As it stands I can see tons of data but am having trouble pulling very specific fields such as filepath, filename, or the names of objects affected by user modification.  I'll take a look at auditd and see what I can find.

 

Thanks

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-22-2023 07:37 AM

No, of course people use the search head as per splunk service.

I meant working directly on the server - logging in via ssh and stuff flike that. Your users do that on the search-head? Or on the indexer???

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...