Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to enable sending linux command logging to Splunk?

dharshini
Explorer
‎01-22-2019 07:12 PM

Hi All,

How do we get to log all the commands run in the shell for an oracle linux OS. Right now, we are monitoring /var/log .
Can help provide steps to enable the logging of events with the command executed by any user in a linux terminal.

Note: I did edit the file /etc/audit/audit.rules and added the below rules and restarted.
vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -k all_cmd_capture
-a exit,always -F arch=b32 -S execve -k all_cmd_capture

However, the log level increased the license (size of log sent to the indexer) by capturing all the background processes as well and exceeded license. Also the logs captured in splunk had the format like type=EXECVE msg=audit(1548110293.810:5052): argc=1 a0="date" .

Kindly suggest other possible ways to capture.

Thanks.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2019 06:07 AM

It depends on what you mean by "log all the commands". You can monitor /var/log/auditd or you can monitor /home/*/.bash_history. The first is simpler, less verbose, and more common (and more useful, IMO). Either way, you will be logging more data and must account for that in your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dharshini
Explorer
‎01-23-2019 11:40 PM

Yes. I added the session required pam_tty_audit.so enable=* into system-auth and password-auth-ac files and can see the logs as type= TTY or type-USER_TTY on splunk search head.
However the issue is the command executed is shown as hexadecimal format in the field name data=6364202F6574632F70617373090D which I need to convert to text to show up on report.
How do we convert this hexadecimal field into string?
Any inputs.

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:50 AM

@dharshini

You can send the logs to nullqueue using props and transform for the events which are not required to get indexed which can decrease the license usage.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top