Splunk Forwarder-->Monitoring/Capturing of Specific Events?
Currently Running CentOS7.
I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"
File Access Denials - Google had mentioned
auditd
for this part?Logon Denials
Security Group Changes - May just be group changes
Enabling/Disabling (Add/Remove) of user accounts
Files/Folders/and Directory permission changes
User Logons/User Logoffs
I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor
followed by the path to specific logs. What I currently have is monitoring /var/log/
(simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity
logs monitoring
add a comment |
Currently Running CentOS7.
I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"
File Access Denials - Google had mentioned
auditd
for this part?Logon Denials
Security Group Changes - May just be group changes
Enabling/Disabling (Add/Remove) of user accounts
Files/Folders/and Directory permission changes
User Logons/User Logoffs
I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor
followed by the path to specific logs. What I currently have is monitoring /var/log/
(simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity
logs monitoring
add a comment |
Currently Running CentOS7.
I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"
File Access Denials - Google had mentioned
auditd
for this part?Logon Denials
Security Group Changes - May just be group changes
Enabling/Disabling (Add/Remove) of user accounts
Files/Folders/and Directory permission changes
User Logons/User Logoffs
I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor
followed by the path to specific logs. What I currently have is monitoring /var/log/
(simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity
logs monitoring
Currently Running CentOS7.
I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"
File Access Denials - Google had mentioned
auditd
for this part?Logon Denials
Security Group Changes - May just be group changes
Enabling/Disabling (Add/Remove) of user accounts
Files/Folders/and Directory permission changes
User Logons/User Logoffs
I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor
followed by the path to specific logs. What I currently have is monitoring /var/log/
(simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity
logs monitoring
logs monitoring
edited Jan 28 at 17:21
cutrightjm
2,13221325
2,13221325
asked Oct 12 '16 at 18:24
Atlas_Atlas_
13
13
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
The only thing I need to do now is configure splunk forwarder to capture this information now.
NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
This file contains the auditctl rules that are loaded
whenever the audit daemon is started via the initscripts.
The rules are simply the parameters that would be passed
to auditctl.
First rule - delete all
-D
Increase the buffers to survive stress events.
Make this bigger for busy systems
-b 1024
Feel free to add below this line. See auditctl man page
Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
-F auid!=4294967295 -k delete
Record system administrator actions
-w /etc/sudoers -p wa -k actions
Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f316011%2fsplunk-forwarder-monitoring-capturing-of-specific-events%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
The only thing I need to do now is configure splunk forwarder to capture this information now.
NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
This file contains the auditctl rules that are loaded
whenever the audit daemon is started via the initscripts.
The rules are simply the parameters that would be passed
to auditctl.
First rule - delete all
-D
Increase the buffers to survive stress events.
Make this bigger for busy systems
-b 1024
Feel free to add below this line. See auditctl man page
Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
-F auid!=4294967295 -k delete
Record system administrator actions
-w /etc/sudoers -p wa -k actions
Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
add a comment |
Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
The only thing I need to do now is configure splunk forwarder to capture this information now.
NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
This file contains the auditctl rules that are loaded
whenever the audit daemon is started via the initscripts.
The rules are simply the parameters that would be passed
to auditctl.
First rule - delete all
-D
Increase the buffers to survive stress events.
Make this bigger for busy systems
-b 1024
Feel free to add below this line. See auditctl man page
Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
-F auid!=4294967295 -k delete
Record system administrator actions
-w /etc/sudoers -p wa -k actions
Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
add a comment |
Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
The only thing I need to do now is configure splunk forwarder to capture this information now.
NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
This file contains the auditctl rules that are loaded
whenever the audit daemon is started via the initscripts.
The rules are simply the parameters that would be passed
to auditctl.
First rule - delete all
-D
Increase the buffers to survive stress events.
Make this bigger for busy systems
-b 1024
Feel free to add below this line. See auditctl man page
Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
-F auid!=4294967295 -k delete
Record system administrator actions
-w /etc/sudoers -p wa -k actions
Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
The only thing I need to do now is configure splunk forwarder to capture this information now.
NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
This file contains the auditctl rules that are loaded
whenever the audit daemon is started via the initscripts.
The rules are simply the parameters that would be passed
to auditctl.
First rule - delete all
-D
Increase the buffers to survive stress events.
Make this bigger for busy systems
-b 1024
Feel free to add below this line. See auditctl man page
Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
-F auid!=4294967295 -k delete
Record system administrator actions
-w /etc/sudoers -p wa -k actions
Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules
answered Oct 14 '16 at 13:43
Atlas_Atlas_
13
13
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f316011%2fsplunk-forwarder-monitoring-capturing-of-specific-events%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown