Monitoring Splunk
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

splunk client ssh

obadr56
Loves-to-Learn

I have installed CentOS 7 on a EC2 server and on CentOS 7 Installed splunk and universal forwarding.  Now I need help with how to store client ssh login and logoff record?.

0 Karma

obadr56
Loves-to-Learn

I am trying to setup splunk so it can store client ssh login and logoff record how do I do that with splunk?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, there's rarely a need to install Splunk and a universal forwarder on the same server.  Install one or the other.

Second, please describe your use case in more detail.  What problem are you trying to solve?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

obadr56
Loves-to-Learn

So what do I have to do to have splunk to store client ssh login and logoff record on my ec2 instance with centos 7 installed do I have to remove universal forwarding and install it on another ec2 please help and advise.  I am new to Splunk so be patient with me thanks a lot for helping.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use Splunk or the UF to monitor /var/log/audit/audit.log on each EC2 instance.  Do that by adding a monitor stanza to the inputs.conf file on each instance. 

You will need to use SELinux or SETFACL to give Splunk (or the UF) permission to read the file.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!