Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk client ssh

obadr56
Loves-to-Learn
‎05-03-2021 03:24 PM

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding.  Now I need help with how to store client ssh login and logoff record?.

0 Karma
Reply

ephemeric
Contributor
‎08-23-2021 12:01 PM

It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.

To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.

If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.

You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.

0 Karma
Reply

obadr56
Loves-to-Learn
‎05-03-2021 04:19 PM

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2021 04:14 PM

First, there's rarely a need to install Splunk and a universal forwarder on the same server.  Install one or the other.

Second, please describe your use case in more detail.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

obadr56
Loves-to-Learn
‎05-03-2021 04:38 PM

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise.  I am new to Splunk so be patient with me thanks a lot for helping.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2021 05:15 AM

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance.  Do that by adding a monitor stanza to the inputs.conf file on each instance. 

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...