Hi Splunkers,
Last week, one of our search head went down and we tried to restart the server. We have done some troubleshooting and identified that the Splunk server is running as a root user. After connecting with the network team, we are able to run the Splunk services again as a Splunk user.
We want to understand who has logged in as Root in the server and track down the Ip etc.
We need some guidance on the same.
Thanks,
RJ
Hi. This doesn't sound like a Splunk question. Sounds more like an operating system question.
If this happened on a Linux server, typically /var/log/messages would record such events. For example
Dec 28 07:50:16 myserver.mycompany.com sudo: burwell : TTY=pts/0 ; PWD=/home/burwell ; USER=root ; COMMAND=/usr/local/bin/bash
I am sure your networking people can help you figure this out.