Auditd hosts in all environments

Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors. Please comment if you have any issues!   <form> <label>Audit All Hosts</label> <fieldset submitButton=”false”> […]

Continue Reading →

Linux Cron Job Information

This splunk query example uses regex (regular expressions) to extract information on Linux cron jobs. *Note* this query has not been extensively tested sourcetype=”cron” | eval Date=strftime(_time, “%Y/%m/%d”) | rex “.*:\d{2}\s(?<hostname>\S+)” | rex “]:\sfinished(?<Info>.*)”  | stats count by Date, hostname, Info

Continue Reading →

Escalation of Privileges via SU in Linux

The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below. *NOTE* if the host field is being autoextracted (for instance […]

Continue Reading →

Count of Unique Hosts in Linux

The following splunk query example will return a unique count of hosts in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” | […]

Continue Reading →

List of Hosts in a Linux Environment

The following splunk query example will return a list of hosts by hostname in a given time range. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” […]

Continue Reading →