Splunk Search

Is it possible to monitor Sudo and Root users using Splunk?

Svill321
Path Finder

Good day everyone,

I have an idea I'd like to try to monitor actions taken by root users or sudo. Say that I have logs that show the users session start and session end. What I would like to do is make a query that looks for SESSION_START and SESSION_END for a given USER. Then, the query will show the events associated with that user account between the timestamps of SESSION_START and SESSION_END.

My main question is whether or not this is even possible in the scope of Splunk. As of right now, I think I would go about this using the transaction command to group together shared user events, but the logic for extracting what happens between SESSION_START and SESSION_END alludes me.

0 Karma
1 Solution

DalJeanis
Legend

The answer is, if the events are IN splunk, then you can get them out. Machines are capable of logging massive amounts of data, if you want them to, and if it is worth it to you to keep that data. Most large institutions only keep a tiny slice of what could potentially be ingested into splunk. So, you need to investigate what is being logged into splunk in your organization.

You also need to collect the format of the logon and logoff. Maybe those both have the userid, maybe just the logon does, and they are linked by a session Id, or maybe the userid is on a different kind of transaction, connected with a temporary virtual user id, and then that id is used on the other events.

To figure all this out, just find a logon that is (if possible) late at night, on a weekend, or some other low-traffic time, on a machine with not much else going on, and collect all those records into a document to use as your guidelines.

Figure out how to identify the start and end events for your user. Figure out how to identify the rest of the events, and which ones document actions that you want to track.

Once you have that, then mask the data to create non-confidential versions of those transactions, and post them here, so we can help you craft the most efficient way to extract them.

View solution in original post

0 Karma

DalJeanis
Legend

The answer is, if the events are IN splunk, then you can get them out. Machines are capable of logging massive amounts of data, if you want them to, and if it is worth it to you to keep that data. Most large institutions only keep a tiny slice of what could potentially be ingested into splunk. So, you need to investigate what is being logged into splunk in your organization.

You also need to collect the format of the logon and logoff. Maybe those both have the userid, maybe just the logon does, and they are linked by a session Id, or maybe the userid is on a different kind of transaction, connected with a temporary virtual user id, and then that id is used on the other events.

To figure all this out, just find a logon that is (if possible) late at night, on a weekend, or some other low-traffic time, on a machine with not much else going on, and collect all those records into a document to use as your guidelines.

Figure out how to identify the start and end events for your user. Figure out how to identify the rest of the events, and which ones document actions that you want to track.

Once you have that, then mask the data to create non-confidential versions of those transactions, and post them here, so we can help you craft the most efficient way to extract them.

0 Karma

Svill321
Path Finder

To further clarify, I'm using this right now to get the events:

index=index_name| transaction account startswith:"SESSION_START" endswith:"SESSION_END"

What I expect to get are several events which starts with one SESSION_START and end with one SESSION_END, and whatever is between them. What I'm getting right now are events with several SESSION_STARTs and SESSION_ENDs in them. This might be due to the fact that transaction is combining the root account, which could be in use on several machines at a time, but I am unsure if that's the case.

0 Karma

DalJeanis
Legend

Root is presumably on a particular host, so you can use that as part of your extraction routine. Unfortunately, every time someone uses ONE account to log onto a different machine, perhaps as a different user, you have another iteration of the same problem.

0 Karma

somesoni2
Revered Legend

Do the logs have user name in it? Can you show some sample raw events, one for each of start, end and in-between?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...