Solved: .bash_history

raiqbal47010 · ‎05-15-2020

I have multisite environment and I want to monitor all the ssh user commands through .bash_history.
for that purpose I enable the monitor:// stanza in all splunk components. interestingly, I am seeing bash_history logs from some servers and majority of the servers are not showing me logs whereas the same configuraiton is across the border.
please advise.

PavelP · ‎05-15-2020

Hello @raiqbal47010

have you followed best practices for bash_history ingestion?

Based on this great post https://www.duanewaddle.com/splunking-bash-history/ by @dwaddle

https://github.com/duckfez/splunk-TA-bash_history

https://visibleninja.guru/splunking-bash-history/

View solution in original post

PavelP · ‎05-15-2020

Hello @raiqbal47010

have you followed best practices for bash_history ingestion?

Based on this great post https://www.duanewaddle.com/splunking-bash-history/ by @dwaddle

https://github.com/duckfez/splunk-TA-bash_history

https://visibleninja.guru/splunking-bash-history/

raiqbal47010 · ‎05-18-2020

I am getting below error on splunk instances:
not exporting configurations globally to system.
and seondly no commonds shown up when I press up arrown OR down arrow. even no history when i give history command. ?

.bash_history

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!