Monitoring Splunk

splunk client ssh

obadr56
Loves-to-Learn

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding.  Now I need help with how to store client ssh login and logoff record?.

0 Karma

ephemeric
Contributor

It sounds like you want to monitor on CentOS7: `/var/log/secure` as that file has all the entries for SSH sessions.

To make things less complicated: run the SUF as `root`, it will be easier to understand how things work. You can test on an isolated EC2 instance and secure later.

If you want to forward `/var/log/secure` from other EC2 instances to your indexer, those will only require a SUF installed.

You do not need a SUF and indexer installed on the same host. If you have installed Splunk proper, with web and all you can add a monitor input for `/var/log/secure`.

0 Karma

obadr56
Loves-to-Learn

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, there's rarely a need to install Splunk and a universal forwarder on the same server.  Install one or the other.

Second, please describe your use case in more detail.  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma

obadr56
Loves-to-Learn

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise.  I am new to Splunk so be patient with me thanks a lot for helping.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance.  Do that by adding a monitor stanza to the inputs.conf file on each instance. 

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...