Splunk Search

Is it possible to monitor Sudo and Root users using Splunk?

Path Finder

Good day everyone,

I have an idea I'd like to try to monitor actions taken by root users or sudo. Say that I have logs that show the users session start and session end. What I would like to do is make a query that looks for SESSION_START and SESSION_END for a given USER. Then, the query will show the events associated with that user account between the timestamps of SESSION_START and SESSION_END.

My main question is whether or not this is even possible in the scope of Splunk. As of right now, I think I would go about this using the transaction command to group together shared user events, but the logic for extracting what happens between SESSION_START and SESSION_END alludes me.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

The answer is, if the events are IN splunk, then you can get them out. Machines are capable of logging massive amounts of data, if you want them to, and if it is worth it to you to keep that data. Most large institutions only keep a tiny slice of what could potentially be ingested into splunk. So, you need to investigate what is being logged into splunk in your organization.

You also need to collect the format of the logon and logoff. Maybe those both have the userid, maybe just the logon does, and they are linked by a session Id, or maybe the userid is on a different kind of transaction, connected with a temporary virtual user id, and then that id is used on the other events.

To figure all this out, just find a logon that is (if possible) late at night, on a weekend, or some other low-traffic time, on a machine with not much else going on, and collect all those records into a document to use as your guidelines.

Figure out how to identify the start and end events for your user. Figure out how to identify the rest of the events, and which ones document actions that you want to track.

Once you have that, then mask the data to create non-confidential versions of those transactions, and post them here, so we can help you craft the most efficient way to extract them.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

The answer is, if the events are IN splunk, then you can get them out. Machines are capable of logging massive amounts of data, if you want them to, and if it is worth it to you to keep that data. Most large institutions only keep a tiny slice of what could potentially be ingested into splunk. So, you need to investigate what is being logged into splunk in your organization.

You also need to collect the format of the logon and logoff. Maybe those both have the userid, maybe just the logon does, and they are linked by a session Id, or maybe the userid is on a different kind of transaction, connected with a temporary virtual user id, and then that id is used on the other events.

To figure all this out, just find a logon that is (if possible) late at night, on a weekend, or some other low-traffic time, on a machine with not much else going on, and collect all those records into a document to use as your guidelines.

Figure out how to identify the start and end events for your user. Figure out how to identify the rest of the events, and which ones document actions that you want to track.

Once you have that, then mask the data to create non-confidential versions of those transactions, and post them here, so we can help you craft the most efficient way to extract them.

View solution in original post

0 Karma

Path Finder

To further clarify, I'm using this right now to get the events:

index=index_name| transaction account startswith:"SESSION_START" endswith:"SESSION_END"

What I expect to get are several events which starts with one SESSION_START and end with one SESSION_END, and whatever is between them. What I'm getting right now are events with several SESSION_STARTs and SESSION_ENDs in them. This might be due to the fact that transaction is combining the root account, which could be in use on several machines at a time, but I am unsure if that's the case.

0 Karma

SplunkTrust
SplunkTrust

Root is presumably on a particular host, so you can use that as part of your extraction routine. Unfortunately, every time someone uses ONE account to log onto a different machine, perhaps as a different user, you have another iteration of the same problem.

0 Karma

SplunkTrust
SplunkTrust

Do the logs have user name in it? Can you show some sample raw events, one for each of start, end and in-between?

0 Karma