All Apps and Add-ons

How can I monitor successful and failed logins on Linux servers?

kranthi851
New Member

Hi ,

How can I monitor Linux servers successful & failed logins? I have a forwarder and Splunk Add-on for Unix and Linux installed on the server.

0 Karma

dbcase
Motivator

You can get the failed ones like this:

index=os process=sshd eventtype=failed_login

0 Karma

kbrown_splunk
Splunk Employee
Splunk Employee

Yes, just make sure you have permissions for the user running Splunk to your /var/log/ log directory and that you configure the Splunk_TA_nix inputs.conf [monitor:///var/log] enabled (This can be done via the GUI under the Apps menu
Apps->Splunk add-on for Nix

http://www.function1.com/2015/07/splunking-the-linux-audit-system

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...