Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring hidden files on Linux

Peter_B
Explorer
‎04-26-2010 07:46 AM

I'm having a problem trying to monitor the .bash_history file. I've set up a monitor for /home with a whitelist of ".bash_hsitory". When I run "splunk list monitor" it shows no files. If I take out the whitelist it shows all the files under /home except for those with a dot prefix.

Does anyone know how to make Splunk find these hidden files?

Thanks.

Tags (2)
Reply

jrodman
Splunk Employee
Splunk Employee
‎05-31-2010 09:24 PM

The 4.0.x monitor input, at least (currently unsure about 4.1.x), doesn't handle dotfiles. A customer reported this around the turn of the year, and it was logged as an enhancement request. I have a vague memory of special features surrounding dotfiles dating back to very early versions of Splunk. There certainly are cases where people might want to monitor a directory of files and NOT monitor dotfiles in said directory, although I would prefer our blacklist feature be used to get this behavior.

(Splunk 1.x was very focused on "handy" features for the solo admin to help her or him get a lot done with little effort. By Splunk 4 the focused has changed drastically towards straightforward behavior and reliable, investigatable configuration. This is a scale of users thing.)

You may be able, on 4.1.x, to defeat this rule by symlinking to it. On 4.0.x the symlink would likely not be successful.

Reply

Peter_B
Explorer
‎06-01-2010 07:03 AM

Thanks for that. I can monitor a particular file, e.g. root's .bash_history, explicitly; but as Lowell pointed out above it is of limited use. It does provide some information extra to what we get from ps output and from the syscall logging by auditd, so we'll probably use it that way - monitor some explicitly named bash_history files rather than look for all under /home.

0 Karma
Reply

Lowell
Super Champion
‎04-26-2010 02:52 PM

It seems like there are a number of items to address here. As far as I know splunk does not do any special processing or blocking of hidden (or ".*" files).

The first think you may want to check is simply file permissions. From within splunk's web interface, you should be able to see evidence of this kind of problem with the following search:

index=_internal sourcetype="splunkd" FileClassifierManager

Also, a more generally useful approach is to login as the 'splunk' user, and run the the command to see how splunk will process an individual input file.

splunk test sourcetype /home/someuser/.bash_history

When I try this on my system, for example, and got the message, which indicates a permissions issue. 

WARN  FileClassifierManager - Unable to open /home/someuser/.bash_history.
WARN  FileClassifierManager - Invalid file: /home/someuser/.bash_history, reason: cannot_read.

When I tried this with a file that could be read by the splunk user, then it created a new source type called "bash_history", but looking over the automatically assigned settings, I can tell you that it will not look quite right out of the box due to line breaking. The other issue you will have is with timestamping. My local copy of .bash_history has no timestamps in it, and if I understand how bash works properly, this file is only ever updated when you logout, therefore you will see a number of new entires showing up all at once.... also I don't think this file is "rotated" in standard log fashion, which could cause duplicate entries (I'd have to test it to see). The bottom line is that this probably isn't going to work right out of the box, and I'm not sure it's going to give you want you are looking for. Which begs the question, what exactly are you actually trying to get out of indexing this file?

If you want to track user activity, there are other options. Also if this is your only means of tracking user activity, then your users can easily circumvent your means of tracking fairly easily by either messing with .bash_history directly (since they own the file), or my simply running a different shell (zsh, ksh, csh, and so on...).

You may wan to check out the ps scripted input in the unix application. That's already setup to capture commands running on the system, and you may find it to be a better option for you. If you really want to get nit picky about whats running, you probably will want to check out the linux audit system. Splunk also has a scripted input for reading files written by auditd.

Reply

Lowell
Super Champion
‎04-27-2010 06:48 PM

Have you tried explicitly monitoring for a single file for a single user? Something like [monitor:///home/someuser/.bash_history], while this isn't a long-term solution you can at least prove or disprove the usability of this source. Good luck. (Oh, and please post an update letting us know if indexing this info ends up being helpful or not. I'm quite curious.)

0 Karma
Reply

Peter_B
Explorer
‎04-27-2010 07:07 AM

Thanks for your response. I tried splunk test sourcetype as you suggest - it doesn't indicate any permissions problems. I agree with you about the problems with bash_history (or *history to cover other shells), but I think when it's used in conjunction with auditd and the ps input it may provide additional useful information. Unfortunately I can't try it out because I can't get a monitor on /home to find any files with a dot prefix.
Thanks again for the splunk test sourceype tip, I hadn't heard of that before.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...