Splunk Search

How to write a search to find which user did a sudo to root for the last 2 days on Linux servers?

sandyganti13
New Member

Would it be something like:

sourcetype="/var/log/secure" eventtype="su_authentication"
0 Karma

sundareshr
Legend

Try source="/var/log/auth.log" sudo

0 Karma

sandyganti13
New Member

When i give source="/var/log/auth.log" sudo it is showing all the accounts that performed a sudo not only to ROOT but also to other ones.

i am trying to sort out the results only to ROOT like, the accounts that did sudo su - root.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...