Splunk Forwarder-->Monitoring/Capturing of Specific Events?












0















Currently Running CentOS7.



I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"




  • File Access Denials - Google had mentioned auditd for this part?


  • Logon Denials


  • Security Group Changes - May just be group changes


  • Enabling/Disabling (Add/Remove) of user accounts


  • Files/Folders/and Directory permission changes


  • User Logons/User Logoffs



I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor followed by the path to specific logs. What I currently have is monitoring /var/log/ (simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity










share|improve this question





























    0















    Currently Running CentOS7.



    I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"




    • File Access Denials - Google had mentioned auditd for this part?


    • Logon Denials


    • Security Group Changes - May just be group changes


    • Enabling/Disabling (Add/Remove) of user accounts


    • Files/Folders/and Directory permission changes


    • User Logons/User Logoffs



    I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor followed by the path to specific logs. What I currently have is monitoring /var/log/ (simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity










    share|improve this question



























      0












      0








      0


      1






      Currently Running CentOS7.



      I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"




      • File Access Denials - Google had mentioned auditd for this part?


      • Logon Denials


      • Security Group Changes - May just be group changes


      • Enabling/Disabling (Add/Remove) of user accounts


      • Files/Folders/and Directory permission changes


      • User Logons/User Logoffs



      I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor followed by the path to specific logs. What I currently have is monitoring /var/log/ (simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity










      share|improve this question
















      Currently Running CentOS7.



      I am currently running into an issue with Splunk forwarders. I need to be able to monitor the following for all Linux machines. Some of the following may only apply to windows machines (which I am also monitoring but still posting to see if it's something that can be done"




      • File Access Denials - Google had mentioned auditd for this part?


      • Logon Denials


      • Security Group Changes - May just be group changes


      • Enabling/Disabling (Add/Remove) of user accounts


      • Files/Folders/and Directory permission changes


      • User Logons/User Logoffs



      I know the line I need to add these is /opt/splunkforwarder/bin/splunk add monitor followed by the path to specific logs. What I currently have is monitoring /var/log/ (simple enough) to capture everything else. But if you all have had any experience using Splunk Forwarders, please let me know if there is a better way to monitor this type of activity







      logs monitoring






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 28 at 17:21









      cutrightjm

      2,13221325




      2,13221325










      asked Oct 12 '16 at 18:24









      Atlas_Atlas_

      13




      13






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
          The only thing I need to do now is configure splunk forwarder to capture this information now.



          NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"



          This file contains the auditctl rules that are loaded



          whenever the audit daemon is started via the initscripts.



          The rules are simply the parameters that would be passed



          to auditctl.



          First rule - delete all



          -D



          Increase the buffers to survive stress events.



          Make this bigger for busy systems



          -b 1024



          Feel free to add below this line. See auditctl man page



          Record events that modify account information



          -w /etc/group -p wa -k identity
          -w /etc/passwd -p wa -k identity
          -w /etc/gshadow -p wa -k identity
          -w /etc/shadow -p wa -k identity
          -w /etc/security/opasswd -p wa -k identity



          Record events that modify the network configuration



          -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
          -w /etc/issue -p wa -k system-locale
          -w /etc/issue.net -p wa -k system-locale
          -w /etc/hosts -p wa -k system-locale
          -w /etc/sysconfig/network -p wa -k system-locale



          Record logon and logout Events



          -w /var/log/faillog -p wa -k logins
          -w /var/log/lastlog -p wa -k logins



          Record process and session initiation information



          -w /var/run/utmp -p wa -k session
          -w /var/log/btmp -p wa -k session
          -w /var/log/wtmp -p wa -k session



          Record discretionary access control permission modification events



          -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod



          Record discretionary access control permission modification events



          -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
          -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
          -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod



          Record unauthorized access attempts to files unsuccessful



          -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
          -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
          -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
          -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access



          Record information on exporting to Media (successful)



          -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export



          Record files deletion events by User (successful and unsuccessful)



          -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
          -F auid!=4294967295 -k delete



          Record system administrator actions



          -w /etc/sudoers -p wa -k actions



          Record information on kernel module loading and unloading



          -w /sbin/insmod -p x -k modules
          -w /sbin/rmmod -p x -k modules
          -w /sbin/modprobe -p x -k modules
          -a always,exit -S init_module -S delete_module -k modules






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f316011%2fsplunk-forwarder-monitoring-capturing-of-specific-events%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
            The only thing I need to do now is configure splunk forwarder to capture this information now.



            NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"



            This file contains the auditctl rules that are loaded



            whenever the audit daemon is started via the initscripts.



            The rules are simply the parameters that would be passed



            to auditctl.



            First rule - delete all



            -D



            Increase the buffers to survive stress events.



            Make this bigger for busy systems



            -b 1024



            Feel free to add below this line. See auditctl man page



            Record events that modify account information



            -w /etc/group -p wa -k identity
            -w /etc/passwd -p wa -k identity
            -w /etc/gshadow -p wa -k identity
            -w /etc/shadow -p wa -k identity
            -w /etc/security/opasswd -p wa -k identity



            Record events that modify the network configuration



            -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
            -w /etc/issue -p wa -k system-locale
            -w /etc/issue.net -p wa -k system-locale
            -w /etc/hosts -p wa -k system-locale
            -w /etc/sysconfig/network -p wa -k system-locale



            Record logon and logout Events



            -w /var/log/faillog -p wa -k logins
            -w /var/log/lastlog -p wa -k logins



            Record process and session initiation information



            -w /var/run/utmp -p wa -k session
            -w /var/log/btmp -p wa -k session
            -w /var/log/wtmp -p wa -k session



            Record discretionary access control permission modification events



            -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod



            Record discretionary access control permission modification events



            -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
            -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
            -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod



            Record unauthorized access attempts to files unsuccessful



            -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
            -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
            -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
            -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access



            Record information on exporting to Media (successful)



            -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export



            Record files deletion events by User (successful and unsuccessful)



            -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
            -F auid!=4294967295 -k delete



            Record system administrator actions



            -w /etc/sudoers -p wa -k actions



            Record information on kernel module loading and unloading



            -w /sbin/insmod -p x -k modules
            -w /sbin/rmmod -p x -k modules
            -w /sbin/modprobe -p x -k modules
            -a always,exit -S init_module -S delete_module -k modules






            share|improve this answer




























              0














              Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
              The only thing I need to do now is configure splunk forwarder to capture this information now.



              NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"



              This file contains the auditctl rules that are loaded



              whenever the audit daemon is started via the initscripts.



              The rules are simply the parameters that would be passed



              to auditctl.



              First rule - delete all



              -D



              Increase the buffers to survive stress events.



              Make this bigger for busy systems



              -b 1024



              Feel free to add below this line. See auditctl man page



              Record events that modify account information



              -w /etc/group -p wa -k identity
              -w /etc/passwd -p wa -k identity
              -w /etc/gshadow -p wa -k identity
              -w /etc/shadow -p wa -k identity
              -w /etc/security/opasswd -p wa -k identity



              Record events that modify the network configuration



              -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
              -w /etc/issue -p wa -k system-locale
              -w /etc/issue.net -p wa -k system-locale
              -w /etc/hosts -p wa -k system-locale
              -w /etc/sysconfig/network -p wa -k system-locale



              Record logon and logout Events



              -w /var/log/faillog -p wa -k logins
              -w /var/log/lastlog -p wa -k logins



              Record process and session initiation information



              -w /var/run/utmp -p wa -k session
              -w /var/log/btmp -p wa -k session
              -w /var/log/wtmp -p wa -k session



              Record discretionary access control permission modification events



              -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod



              Record discretionary access control permission modification events



              -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
              -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
              -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod



              Record unauthorized access attempts to files unsuccessful



              -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
              -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
              -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
              -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access



              Record information on exporting to Media (successful)



              -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export



              Record files deletion events by User (successful and unsuccessful)



              -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
              -F auid!=4294967295 -k delete



              Record system administrator actions



              -w /etc/sudoers -p wa -k actions



              Record information on kernel module loading and unloading



              -w /sbin/insmod -p x -k modules
              -w /sbin/rmmod -p x -k modules
              -w /sbin/modprobe -p x -k modules
              -a always,exit -S init_module -S delete_module -k modules






              share|improve this answer


























                0












                0








                0







                Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
                The only thing I need to do now is configure splunk forwarder to capture this information now.



                NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"



                This file contains the auditctl rules that are loaded



                whenever the audit daemon is started via the initscripts.



                The rules are simply the parameters that would be passed



                to auditctl.



                First rule - delete all



                -D



                Increase the buffers to survive stress events.



                Make this bigger for busy systems



                -b 1024



                Feel free to add below this line. See auditctl man page



                Record events that modify account information



                -w /etc/group -p wa -k identity
                -w /etc/passwd -p wa -k identity
                -w /etc/gshadow -p wa -k identity
                -w /etc/shadow -p wa -k identity
                -w /etc/security/opasswd -p wa -k identity



                Record events that modify the network configuration



                -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
                -w /etc/issue -p wa -k system-locale
                -w /etc/issue.net -p wa -k system-locale
                -w /etc/hosts -p wa -k system-locale
                -w /etc/sysconfig/network -p wa -k system-locale



                Record logon and logout Events



                -w /var/log/faillog -p wa -k logins
                -w /var/log/lastlog -p wa -k logins



                Record process and session initiation information



                -w /var/run/utmp -p wa -k session
                -w /var/log/btmp -p wa -k session
                -w /var/log/wtmp -p wa -k session



                Record discretionary access control permission modification events



                -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod



                Record discretionary access control permission modification events



                -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
                -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
                -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod



                Record unauthorized access attempts to files unsuccessful



                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
                -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
                -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access



                Record information on exporting to Media (successful)



                -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export



                Record files deletion events by User (successful and unsuccessful)



                -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
                -F auid!=4294967295 -k delete



                Record system administrator actions



                -w /etc/sudoers -p wa -k actions



                Record information on kernel module loading and unloading



                -w /sbin/insmod -p x -k modules
                -w /sbin/rmmod -p x -k modules
                -w /sbin/modprobe -p x -k modules
                -a always,exit -S init_module -S delete_module -k modules






                share|improve this answer













                Found out this can be done by configuring the audit.rules file found /etc/audit/rules.d/audit.rules. I will post the configuration file as it may come in handy for future users encountering the same issue. Info gathered from goo.gl/AVuCjn
                The only thing I need to do now is configure splunk forwarder to capture this information now.



                NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"



                This file contains the auditctl rules that are loaded



                whenever the audit daemon is started via the initscripts.



                The rules are simply the parameters that would be passed



                to auditctl.



                First rule - delete all



                -D



                Increase the buffers to survive stress events.



                Make this bigger for busy systems



                -b 1024



                Feel free to add below this line. See auditctl man page



                Record events that modify account information



                -w /etc/group -p wa -k identity
                -w /etc/passwd -p wa -k identity
                -w /etc/gshadow -p wa -k identity
                -w /etc/shadow -p wa -k identity
                -w /etc/security/opasswd -p wa -k identity



                Record events that modify the network configuration



                -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
                -w /etc/issue -p wa -k system-locale
                -w /etc/issue.net -p wa -k system-locale
                -w /etc/hosts -p wa -k system-locale
                -w /etc/sysconfig/network -p wa -k system-locale



                Record logon and logout Events



                -w /var/log/faillog -p wa -k logins
                -w /var/log/lastlog -p wa -k logins



                Record process and session initiation information



                -w /var/run/utmp -p wa -k session
                -w /var/log/btmp -p wa -k session
                -w /var/log/wtmp -p wa -k session



                Record discretionary access control permission modification events



                -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod



                Record discretionary access control permission modification events



                -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
                -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
                -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod



                Record unauthorized access attempts to files unsuccessful



                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
                -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate
                -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access



                Record information on exporting to Media (successful)



                -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export



                Record files deletion events by User (successful and unsuccessful)



                -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500
                -F auid!=4294967295 -k delete



                Record system administrator actions



                -w /etc/sudoers -p wa -k actions



                Record information on kernel module loading and unloading



                -w /sbin/insmod -p x -k modules
                -w /sbin/rmmod -p x -k modules
                -w /sbin/modprobe -p x -k modules
                -a always,exit -S init_module -S delete_module -k modules







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Oct 14 '16 at 13:43









                Atlas_Atlas_

                13




                13






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f316011%2fsplunk-forwarder-monitoring-capturing-of-specific-events%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to make a Squid Proxy server?

                    Is this a new Fibonacci Identity?

                    19世紀