I've been trying to capture bashhistory logs but I am not seeing this log populate in Splunk. I am able to get top, who, netstat and several others but the only one that is missing is bashhistory. I checked my inputs.conf file and it matches correctly to another instance. I've also restarted the splunkforwarder. The only thing left that I am thinking could be the issue is the folder permissions for ///root/.bashhistory and ///home/.../.bashhistory. If that is the issue, my question is what should the permissions be set to? Here is my stanza for bash_history.
### bash history [monitor:///root/.bash_history] disabled = 0 sourcetype = bash_history index = home [monitor:///home/.../.bash_history] disabled = 0 sourcetype = bash_history index = home
@somesoni2 how would I go about giving the Splunk user access to the ///home/.../.bashhistory? The user:group shows as the current user that I'm logged in as. I am getting the logs from ///root/.bashhistory? The user:group shows as root:root.