Hi.
We would like to index users' shell history (.bash_ history) in Splunk. The issue is that we have shared home directories that are NFS mounted. That means whenever you log into a machine, you're accessing your same files and, consequently, the same .bash_history.
We'd like Splunk to know what host the user was on when .bash_history was updated. This way we can run a search within Splunk and see how typed which commands from which host.
Is this possible? It sound like it's a procedural issue that is outside of Splunk. I'm hoping someone else here has accomplished this.
Thanks!
Splunk alone cannot do this. This really isn't a question for Splunk, more of a question of "how do I managed shell history files on a shared unix filesystem?"
You can make bash produce distinct history files per host and then index those. Add something like this to .profile:
export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/$HOME/.history/$HOSTNAME
export PROMPT_COMMAND='history -a'
Bonus - you get usable timestamps in your bash history!