Splunk Search

Search for sudo (linux_secure does not exist?)

jackjack
Path Finder

Hi all,

I am trying to setup some sort of dashboard to view a list of sudo commands by server. 

I started with the IT Essentials Learn App which recommends this command:

 

index=* sourcetype=linux_secure process=sudo COMMAND=* host=*
| rex "COMMAND=(?<raw_command>.*)"
| eval COMMAND=coalesce(raw_command, COMMAND)
| table _time host USER PWD COMMAND

 

 

This command did not work for me so I started playing with it a bit. I realized that the 

 

sourcetype=linux_secure

 

does not exist. 

 

My understanding is that the splunk add-on for unix and linux is supposed to apply this sourcetype. I verified my configuration and didn't see anything to modify so I went ahead and looked at the $SPLUNK/etc/apps/Splunk_TA_nix/default/inputs.conf file. I cannot find a single instance of sourcetype=linux_secure in that config file so I don't think that sourcetype is being applied to any sources. Has linux_secure been deprecated or do I simply need to modify my local/inputs.conf file with something?

 

Does anyone have a recommended way to perform this search? I have tried a number of methods but am struggling to get what I need.

Labels (1)
Tags (1)
0 Karma
1 Solution

jackjack
Path Finder

IT Essentials Learn App led me down the wrong path. This is the search I am using which appears to work just fine. I think linux_secure has been deprecated seeing as it does not show up anywhere in the default config files (and these list the default sourcetype for each source so clearly it's no longer being used as a default sourcetype with the unix add on).

 

 

 

index="*" host="*" source="/var/log/auth.log" tag="authentication" process="sudo" tag="success"
| table _time host user source process tag _raw

 

 

 

 

View solution in original post

0 Karma

jackjack
Path Finder

IT Essentials Learn App led me down the wrong path. This is the search I am using which appears to work just fine. I think linux_secure has been deprecated seeing as it does not show up anywhere in the default config files (and these list the default sourcetype for each source so clearly it's no longer being used as a default sourcetype with the unix add on).

 

 

 

index="*" host="*" source="/var/log/auth.log" tag="authentication" process="sudo" tag="success"
| table _time host user source process tag _raw

 

 

 

 

View solution in original post

0 Karma

edoardo_vicendo
Contributor

I confirm you Splunk_TA_nix has been deprecated (I remember having received an email from Splunk about this). Anyway it doesn't mean it will stop working 🙂

About your issue you probably don't receive any log because most of the inputs are disabled by default. What I would suggest you to do is to copy the ../default/inputs.conf in .../local/inputs.conf and then modify it to enable the scripted input OR the monitor stanza related to linux_secure

Best Regards,

Edoardo

0 Karma

PickleRick
Champion

As with any add-on, it's just a tool that can help you interpret and maybe receive events from a particular kind of sources but it's up to you to make sure it's properly installed and configured.

Oh, and in case of TA_nix app, it's deprecated and you should rather use https://splunkbase.splunk.com/app/3476/

"Be sure to also check out the certified sudo (https://splunkbase.splunk.com/app/3038/), iptables (https://splunkbase.splunk.com/app/3089/) and auditd (https://splunkbase.splunk.com/app/2642/) apps."

But sitll it's all search-head side configuration. You need to make sure that proper logs are being pulled into splunk by configuring proper inputs with proper sourcetypes.

0 Karma

jackjack
Path Finder

Do you know of a source that tells me how to configure it? I have looked through the existing add-on setup documentation and cannot find what I need. 

Are you sure the TA_nix add-on is deprecated? I thought it was just the App itself? I don't see any deprecation callouts on its page.

Those other apps aren't supported by splunk so I cannot use them. I've had issues with unsupported apps in the past so all apps must be splunk supported now. Additionally, it looks like they'll cause conflict with the add-on for unix, which is working (just not with the linux_secure type).

0 Karma

PickleRick
Champion

About the obsoleteness - sorry, my bad, I mistaken one app with another and quoted something wrongly. Forget it.

About the inputs - how are you receiving (or want to receive) the logs? Directly on the splunk server? On HF? On UF?

In general - creating proper inputs.conf stanzas in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf and restarting the splunk component responsible for reading the logs should suffice.

0 Karma

jackjack
Path Finder

No worries, it's hard to keep everything straight in splunk.

So it wasn't a problem with the config. It was just IT Essentials Learn leading me down the wrong path. It seems to me that linux_secure has been deprecated. 

I was able to get the results I need using a different search which I will post shortly.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@jackjack  it exist in props conf here - Splunk_TA_nix/default , by default inputs conf doesn't included secure logs monitor it's a file based monitoring. Guessing /var/log/secure could be the path.

if the nix add-on is rightly set-up , corresponding input enabled and you must have access to view the sourcetype then you should be able to find logs.

Have a chat with your admin/ system team.

0 Karma

jackjack
Path Finder

Unfortunately I am responsible for both splunk setup and splunk searching.

I think you're right in that the data is there, I just need to find it another way. I think IT Essentials Learn just led me down the wrong path - perhaps linux_secure was the method in the past and things have changed now.

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!