Splunk Search

How to write a search to find which user did a sudo to root for the last 2 days on Linux servers?

sandyganti13
New Member

Would it be something like:

sourcetype="/var/log/secure" eventtype="su_authentication"
0 Karma

sundareshr
Legend

Try source="/var/log/auth.log" sudo

0 Karma

sandyganti13
New Member

When i give source="/var/log/auth.log" sudo it is showing all the accounts that performed a sudo not only to ROOT but also to other ones.

i am trying to sort out the results only to ROOT like, the accounts that did sudo su - root.

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...