Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out who deleted a user in Linux?

neerajs_81
Builder
‎09-15-2023 02:01 AM

Hi All, just wondering if anyone has a search that shows which user deleted another user in Linux  ?

Typically in the linux syslog messages, when we check for userdel messages ,  it only shows the name of the user account that was deleted.  There isn't any mention of which user performed this action. 
 Whereas in Windows events, we see both src and target user for deletion Event IDs. 

How to get this info ? I know one can manually login to host and verify the ./bash_history but how do you accomplish this from Splunk itself ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-19-2023 04:54 PM

Command history is logged in LOCAL7 facility, NOTICE level.  You may want to examine /etc/rsyslog.conf (and related conf files) to find out which log file(s) contain local7.notice.

According to https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf, RedHat default is to send local7.* into /var/log/boot.log.  But your system may have customized settings.  Normally, /var/log/secure is used for authpriv.*, thus it does not contain command history.

If the file that contains local7.notice is not ingested, you will need to ingest it.

Hope this helps.

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-18-2023 12:38 AM

You need to read up Linux user management, or ask your SysAdmin how to determine such matters.

Understandably, Windows user management is totally different Unix and Linux user management.  Unless your system uses some uncommon admin overlay (which only your SysAdmin can tell you), userdel command can only be executed by root (uid 0).  A non-root user may have sudo privileges to execute commands as root, but this can only be executed as sudo usserdel.  Alternatively, if unprivileged user is allowed root shell, such a user can first use sudo su <shell name> to gain a root shell, then execute userdel in this shell as if it is user root.

Most modern Linux systems log full command history.  You didn't say which Linux OS you are using.  You say "(syslog) only shows the name of the user account that was deleted," but without any context like which source file are you looking at.  In Unix-like systems, "syslog" is a OS facility that can be organized in many different ways, i.e., various messages (events) can go to various places. (If you are unsure, ask your SysAdmin.)  You didn't even illustrate a sample log entry. (You can always anonymize; but make sure to preserve formatting and other characteristics.)  Volunteers cannot possibly help with all these ambiguities.

0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎09-18-2023 04:19 AM

Hi,

I am myself a sysadmin and  if you read my entire post with open eyes ,  i myself wrote that this information is available in /bash_history to check but that is manually after ssh into the server. If i wasn't aware how to check this, i wouldn't have mentioned about checking user's history.

It doesn't matter which ever flavor of Linux you take be it Ubuntu or RHEL family anybody who is familiar with user deletion activity will know this issue because its same for any linux flavor.

We are on RHEL 7.9 and under /var/log/secure  all we see is following type of messages when someone runs userdel command: 

neerajs_81_0-1695035795460.png

There is no further message or record in /var/log/secure of who ran this command. That's my use case and that is why i drew parallel with Windows Event Viewer logs to see how others are doing for similar use cases. 

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-19-2023 04:54 PM

Command history is logged in LOCAL7 facility, NOTICE level.  You may want to examine /etc/rsyslog.conf (and related conf files) to find out which log file(s) contain local7.notice.

According to https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf, RedHat default is to send local7.* into /var/log/boot.log.  But your system may have customized settings.  Normally, /var/log/secure is used for authpriv.*, thus it does not contain command history.

If the file that contains local7.notice is not ingested, you will need to ingest it.

Hope this helps.

Tags (1)
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...