I am attempting to audit the usage of commands such as chown or chomod on my linux environment. Through the below query I am able to see the list of user's, hosts, and the commands that were run but not the files or directories that they were run on. There are no fields in the event viewer that show filepaths or directories of any kind.
index=myindex comm="chmod" | table date , host , AUID , comm , exe , source
Any assistance would be appreciated. Pretty new to Splunk
... View more