Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to enable sending linux command logging to Splunk?

dharshini
Explorer
‎01-22-2019 07:12 PM

Hi All,

How do we get to log all the commands run in the shell for an oracle linux OS. Right now, we are monitoring /var/log .
Can help provide steps to enable the logging of events with the command executed by any user in a linux terminal.

Note: I did edit the file /etc/audit/audit.rules and added the below rules and restarted.
vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -k all_cmd_capture
-a exit,always -F arch=b32 -S execve -k all_cmd_capture

However, the log level increased the license (size of log sent to the indexer) by capturing all the background processes as well and exceeded license. Also the logs captured in splunk had the format like type=EXECVE msg=audit(1548110293.810:5052): argc=1 a0="date" .

Kindly suggest other possible ways to capture.

Thanks.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2019 06:07 AM

It depends on what you mean by "log all the commands". You can monitor /var/log/auditd or you can monitor /home/*/.bash_history. The first is simpler, less verbose, and more common (and more useful, IMO). Either way, you will be logging more data and must account for that in your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dharshini
Explorer
‎01-23-2019 11:40 PM

Yes. I added the session required pam_tty_audit.so enable=* into system-auth and password-auth-ac files and can see the logs as type= TTY or type-USER_TTY on splunk search head.
However the issue is the command executed is shown as hexadecimal format in the field name data=6364202F6574632F70617373090D which I need to convert to text to show up on report.
How do we convert this hexadecimal field into string?
Any inputs.

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:50 AM

@dharshini

You can send the logs to nullqueue using props and transform for the events which are not required to get indexed which can decrease the license usage.

0 Karma
Reply
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...