Monitoring Splunk

splunk client ssh

obadr56
Loves-to-Learn

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding.  Now I need help with how to store client ssh login and logoff record?.

0 Karma

ephemeric
Contributor

It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.

To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.

If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.

You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.

0 Karma

obadr56
Loves-to-Learn

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, there's rarely a need to install Splunk and a universal forwarder on the same server.  Install one or the other.

Second, please describe your use case in more detail.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma

obadr56
Loves-to-Learn

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise.  I am new to Splunk so be patient with me thanks a lot for helping.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance.  Do that by adding a monitor stanza to the inputs.conf file on each instance. 

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...