Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to enable sending linux command logging to Splunk?

dharshini
Explorer
‎01-22-2019 07:12 PM

Hi All,

How do we get to log all the commands run in the shell for an oracle linux OS. Right now, we are monitoring /var/log .
Can help provide steps to enable the logging of events with the command executed by any user in a linux terminal.

Note: I did edit the file /etc/audit/audit.rules and added the below rules and restarted.
vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -k all_cmd_capture
-a exit,always -F arch=b32 -S execve -k all_cmd_capture

However, the log level increased the license (size of log sent to the indexer) by capturing all the background processes as well and exceeded license. Also the logs captured in splunk had the format like type=EXECVE msg=audit(1548110293.810:5052): argc=1 a0="date" .

Kindly suggest other possible ways to capture.

Thanks.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2019 06:07 AM

It depends on what you mean by "log all the commands". You can monitor /var/log/auditd or you can monitor /home/*/.bash_history. The first is simpler, less verbose, and more common (and more useful, IMO). Either way, you will be logging more data and must account for that in your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dharshini
Explorer
‎01-23-2019 11:40 PM

Yes. I added the session required pam_tty_audit.so enable=* into system-auth and password-auth-ac files and can see the logs as type= TTY or type-USER_TTY on splunk search head.
However the issue is the command executed is shown as hexadecimal format in the field name data=6364202F6574632F70617373090D which I need to convert to text to show up on report.
How do we convert this hexadecimal field into string?
Any inputs.

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:50 AM

@dharshini

You can send the logs to nullqueue using props and transform for the events which are not required to get indexed which can decrease the license usage.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...