Re: What folder permission is need to monitor bash...

Feedy · ‎02-01-2017

I've been trying to capture bash_history logs but I am not seeing this log populate in Splunk. I am able to get top, who, netstat and several others but the only one that is missing is bash_history. I checked my inputs.conf file and it matches correctly to another instance. I've also restarted the splunkforwarder. The only thing left that I am thinking could be the issue is the folder permissions for ///root/.bash_history and ///home/.../.bash_history. If that is the issue, my question is what should the permissions be set to? Here is my stanza for bash_history.

### bash history
[monitor:///root/.bash_history]
disabled = 0
sourcetype = bash_history
index = home

[monitor:///home/.../.bash_history]
disabled = 0
sourcetype = bash_history
index = home

dwaddle · ‎02-06-2017

Might have a look at http://www.duanewaddle.com/splunking-bash-history/ for ideas. Some permissions problems and such may remain, but it's perhaps better?

Feedy · ‎02-06-2017

@somesoni2 how would I go about giving the Splunk user access to the ///home/.../.bash_history? The user:group shows as the current user that I'm logged in as. I am getting the logs from ///root/.bash_history? The user:group shows as root:root.

somesoni2 · ‎02-01-2017

You (the account under which Splunk service is running) needs to have read permission on the file/folder it's monitoring.

What folder permission is need to monitor bash_history?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation