Solved: Search for sudo (linux_secure does not exist?)

jackjack · ‎10-19-2021

Hi all,

I am trying to setup some sort of dashboard to view a list of sudo commands by server.

I started with the IT Essentials Learn App which recommends this command:

index=* sourcetype=linux_secure process=sudo COMMAND=* host=*
| rex "COMMAND=(?<raw_command>.*)"
| eval COMMAND=coalesce(raw_command, COMMAND)
| table _time host USER PWD COMMAND

This command did not work for me so I started playing with it a bit. I realized that the

sourcetype=linux_secure

does not exist.

My understanding is that the splunk add-on for unix and linux is supposed to apply this sourcetype. I verified my configuration and didn't see anything to modify so I went ahead and looked at the $SPLUNK/etc/apps/Splunk_TA_nix/default/inputs.conf file. I cannot find a single instance of sourcetype=linux_secure in that config file so I don't think that sourcetype is being applied to any sources. Has linux_secure been deprecated or do I simply need to modify my local/inputs.conf file with something?

Does anyone have a recommended way to perform this search? I have tried a number of methods but am struggling to get what I need.

jackjack · ‎10-21-2021

IT Essentials Learn App led me down the wrong path. This is the search I am using which appears to work just fine. I think linux_secure has been deprecated seeing as it does not show up anywhere in the default config files (and these list the default sourcetype for each source so clearly it's no longer being used as a default sourcetype with the unix add on).

index="*" host="*" source="/var/log/auth.log" tag="authentication" process="sudo" tag="success"
| table _time host user source process tag _raw

View solution in original post

jackjack · ‎10-21-2021

IT Essentials Learn App led me down the wrong path. This is the search I am using which appears to work just fine. I think linux_secure has been deprecated seeing as it does not show up anywhere in the default config files (and these list the default sourcetype for each source so clearly it's no longer being used as a default sourcetype with the unix add on).

index="*" host="*" source="/var/log/auth.log" tag="authentication" process="sudo" tag="success"
| table _time host user source process tag _raw

edoardo_vicendo · ‎10-20-2021

I confirm you Splunk_TA_nix has been deprecated (I remember having received an email from Splunk about this). Anyway it doesn't mean it will stop working 🙂

About your issue you probably don't receive any log because most of the inputs are disabled by default. What I would suggest you to do is to copy the ../default/inputs.conf in .../local/inputs.conf and then modify it to enable the scripted input OR the monitor stanza related to linux_secure

Best Regards,

Edoardo

PickleRick · ‎10-20-2021

As with any add-on, it's just a tool that can help you interpret and maybe receive events from a particular kind of sources but it's up to you to make sure it's properly installed and configured.

Oh, and in case of TA_nix app, it's deprecated and you should rather use https://splunkbase.splunk.com/app/3476/

"Be sure to also check out the certified sudo (https://splunkbase.splunk.com/app/3038/), iptables (https://splunkbase.splunk.com/app/3089/) and auditd (https://splunkbase.splunk.com/app/2642/) apps."

But sitll it's all search-head side configuration. You need to make sure that proper logs are being pulled into splunk by configuring proper inputs with proper sourcetypes.

jackjack · ‎10-20-2021

Do you know of a source that tells me how to configure it? I have looked through the existing add-on setup documentation and cannot find what I need.

Are you sure the TA_nix add-on is deprecated? I thought it was just the App itself? I don't see any deprecation callouts on its page.

Those other apps aren't supported by splunk so I cannot use them. I've had issues with unsupported apps in the past so all apps must be splunk supported now. Additionally, it looks like they'll cause conflict with the add-on for unix, which is working (just not with the linux_secure type).

PickleRick · ‎10-21-2021

About the obsoleteness - sorry, my bad, I mistaken one app with another and quoted something wrongly. Forget it.

About the inputs - how are you receiving (or want to receive) the logs? Directly on the splunk server? On HF? On UF?

In general - creating proper inputs.conf stanzas in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf and restarting the splunk component responsible for reading the logs should suffice.

jackjack · ‎10-21-2021

No worries, it's hard to keep everything straight in splunk.

So it wasn't a problem with the config. It was just IT Essentials Learn leading me down the wrong path. It seems to me that linux_secure has been deprecated.

I was able to get the results I need using a different search which I will post shortly.

venkatasri · ‎10-19-2021

@jackjack it exist in props conf here - Splunk_TA_nix/default , by default inputs conf doesn't included secure logs monitor it's a file based monitoring. Guessing /var/log/secure could be the path.

if the nix add-on is rightly set-up , corresponding input enabled and you must have access to view the sourcetype then you should be able to find logs.

Have a chat with your admin/ system team.

jackjack · ‎10-20-2021

Unfortunately I am responsible for both splunk setup and splunk searching.

I think you're right in that the data is there, I just need to find it another way. I think IT Essentials Learn just led me down the wrong path - perhaps linux_secure was the method in the past and things have changed now.

Search for sudo (linux_secure does not exist?)

metadata

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?