I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding. Now I need help with how to store client ssh login and logoff record?.
It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.
To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.
If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.
You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.
I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?
First, there's rarely a need to install Splunk and a universal forwarder on the same server. Install one or the other.
Second, please describe your use case in more detail. What problem are you trying to solve?
So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise. I am new to Splunk so be patient with me thanks a lot for helping.
Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance. Do that by adding a monitor stanza to the inputs.conf file on each instance.
You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.