Hi,
I am using Splunk for Linux Servers log monitoring, and I am using unix add-on for that.
Now, I want to monitor when
Users/root installed any software/rpm/tar into the system.
Please help.
Regards,
catch_mili
I don't think you will find that Splunk can tell you that, at least not directly. It is interesting though! You can lock your systems down of course, and log / see if a person SU's up to root but ideally they shouldn't have root access as it totals your change control and protection of the systems.
If you use a 3rd party product for asset discovery (software type) and that logs information then you can bring it back into Splunk as the point of control. Solaris has pkginfo for example.