Splunk Enterprise

How to enable sending linux command logging to Splunk?

dharshini
Explorer

Hi All,

How do we get to log all the commands run in the shell for an oracle linux OS. Right now, we are monitoring /var/log .
Can help provide steps to enable the logging of events with the command executed by any user in a linux terminal.

Note: I did edit the file /etc/audit/audit.rules and added the below rules and restarted.
vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -k all_cmd_capture
-a exit,always -F arch=b32 -S execve -k all_cmd_capture

However, the log level increased the license (size of log sent to the indexer) by capturing all the background processes as well and exceeded license. Also the logs captured in splunk had the format like type=EXECVE msg=audit(1548110293.810:5052): argc=1 a0="date" .

Kindly suggest other possible ways to capture.

Thanks.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what you mean by "log all the commands". You can monitor /var/log/auditd or you can monitor /home/*/.bash_history. The first is simpler, less verbose, and more common (and more useful, IMO). Either way, you will be logging more data and must account for that in your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dharshini
Explorer

Yes. I added the session required pam_tty_audit.so enable=* into system-auth and password-auth-ac files and can see the logs as type= TTY or type-USER_TTY on splunk search head.
However the issue is the command executed is shown as hexadecimal format in the field name data=6364202F6574632F70617373090D which I need to convert to text to show up on report.
How do we convert this hexadecimal field into string?
Any inputs.

Thanks.

0 Karma

vishaltaneja070
Motivator

@dharshini

You can send the logs to nullqueue using props and transform for the events which are not required to get indexed which can decrease the license usage.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...