Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk client ssh

obadr56
Loves-to-Learn
‎05-03-2021 03:24 PM

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding.  Now I need help with how to store client ssh login and logoff record?.

0 Karma
Reply

ephemeric
Contributor
‎08-23-2021 12:01 PM

It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.

To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.

If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.

You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.

0 Karma
Reply

obadr56
Loves-to-Learn
‎05-03-2021 04:19 PM

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2021 04:14 PM

First, there's rarely a need to install Splunk and a universal forwarder on the same server.  Install one or the other.

Second, please describe your use case in more detail.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

obadr56
Loves-to-Learn
‎05-03-2021 04:38 PM

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise.  I am new to Splunk so be patient with me thanks a lot for helping.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2021 05:15 AM

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance.  Do that by adding a monitor stanza to the inputs.conf file on each instance. 

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top