Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to enable sending linux command logging to Splunk?

dharshini
Explorer
‎01-22-2019 07:12 PM

Hi All,

How do we get to log all the commands run in the shell for an oracle linux OS. Right now, we are monitoring /var/log .
Can help provide steps to enable the logging of events with the command executed by any user in a linux terminal.

Note: I did edit the file /etc/audit/audit.rules and added the below rules and restarted.
vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -k all_cmd_capture
-a exit,always -F arch=b32 -S execve -k all_cmd_capture

However, the log level increased the license (size of log sent to the indexer) by capturing all the background processes as well and exceeded license. Also the logs captured in splunk had the format like type=EXECVE msg=audit(1548110293.810:5052): argc=1 a0="date" .

Kindly suggest other possible ways to capture.

Thanks.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2019 06:07 AM

It depends on what you mean by "log all the commands". You can monitor /var/log/auditd or you can monitor /home/*/.bash_history. The first is simpler, less verbose, and more common (and more useful, IMO). Either way, you will be logging more data and must account for that in your license.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dharshini
Explorer
‎01-23-2019 11:40 PM

Yes. I added the session required pam_tty_audit.so enable=* into system-auth and password-auth-ac files and can see the logs as type= TTY or type-USER_TTY on splunk search head.
However the issue is the command executed is shown as hexadecimal format in the field name data=6364202F6574632F70617373090D which I need to convert to text to show up on report.
How do we convert this hexadecimal field into string?
Any inputs.

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎01-23-2019 05:50 AM

@dharshini

You can send the logs to nullqueue using props and transform for the events which are not required to get indexed which can decrease the license usage.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...