Linux authorization logs are a type of authentication data used to track the usage of authorization systems. They are plaintext log files written by syslog that contain system authorization information, such as user logins and authentication mechanisms that were used. They track both successful and failed logins, as well as authentication processes, sudo attempts, and user and group creation. Only syslog and admins can read them, and they can only be modified by someone with root privileges.
Linux auth logs can provide detailed insight about unauthorized or failed login attempts, and about the activities of valid users. They can give clues to potential threats and possible hacking attempts, such as a continuous stream of scanning or brute force attacks.
How can I use this data?
When your Splunk deployment is ingesting Linux authorization logs, you can use the data to achieve the following objectives:
- Coming soon!
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Linux resources.
Getting Linux authorization data in
Splunk Docs contains extensive guidance on getting data into your Splunk deployment. If your deployment is not already ingesting Linux authorization data, the following topics can assist you in preparing to work with this data type:
- Splunk Enterprise
- Splunk Cloud
The recommended index is osnixsec.
The source type is syslog.
The supported input type is monitor:///var/log/auth.log.
In addition, you will need the Splunk add-on for Unix and Linux. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Linux, and configure Splunk.
Linux event volume can vary greatly based on the type of host. At a very high level, common ranges are:
- Workstation: 4-6 MB/day
- Application Servers: 25-50 MB/day
These ranges can vary dramatically. For example, with highly active Linux servers with thousands of simultaneous users, you could see more volume.
When deploying audit policies, usually new systems or an increase in system log messages shows up first in Splunk. If you already have some logs coming in and want to validate that you’re getting the new ones, look for the delta between your old policy and your new one.