Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract name of user when useradd command is ran

jcorkey
Explorer
‎08-02-2017 07:55 AM

I am receiving the audit.log data from a universal forwarder running on a Linux box

Hello below is my search string and event logs:

search string

index=* host=* sourcetype="" user="" "/usr/sbin/useradd" "type=ADD_USER"

example of log results:

type=ADD_USER msg=audit(1501682042.274:12228): pid=6168 uid=0 auid=1000 ses=1367 msg='op=add-user id=1007 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'
date_zone = 0 index =   my_fwdr =   /var/log/audit/audit.log sourcetype =   linux:audit uid =   0 user =    guser

I see that the user who ran the useradd command is "guser" and the id of the newly created user is 1007 BUT I want the actual user NAME of the newly created user...not the id
How do I get the actual name of the newly created user. I don't want the id. Do I need to search in a different log file? Does audit.log not contain the user name but only the id when users are created?

0 Karma
Reply

DalJeanis
Legend
‎08-02-2017 08:49 AM

Think of it this way...

A user ID is like a key that allows you to find the user account itself.

The user name is just a description of the account, not necessarily the name of a person. The user name could be, literally, "Service Account 23 for Marketing Initiatives under Jane Smith's hierachy"

In the text on each log record, the user name would be redundant. (I'm not saying there is never redundant data on log records, I'm especially not saying that about Windows log events, but still...)

So, you'll need to contact your security folks to find out what process you need to use to enrich the log data. Maybe they'll give you a daily or weekly dump of the AD files, maybe they'll give you the ability to read them directly, maybe they'll tell you you're not going to get that info.

If they refuse, then you'll have to start looking for ways to correlate the userids with their user names. There usually ARE events that would have user names, but sometimes you'll have to track back the IP address or use other clues to run it all down. (Which is a large part of why various SIEM tools, including Splunk Enterprise Security, exist...)

Start by researching the various events with your own ID and name, since you'll be able to read them with very little confusion --assuming you're not named "John Green" or "Norton Windows".

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...