Hello,
i have been installed Splunk Apps ( Linux Auditd and Auditd Addons ) following your documentation in https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
Beside of that i also doing this following step.
- I have been add user splunk to root group.
- Give chmod 770 to /var/log/audit
- Give chmod 770 to /var/log/audit/audit.log
- Manually add data input in /var/log/audit/audit.log to Splunk
- Add configuration in /etc/pam.d/system-auth and /etc/pam.d/password-auth to record user keystroke.
- Press command line as user root for keystroke testing
- Keystroke recorded and can be looked by using aureport --tty command.
But, after i do that. I can see root keystroke in User TTY view.
If, i use an other user ( example: rendi ).
I can not see rendi keystroke in User TTY view.
I am pretty use using enable=* in pam.d configuration.
I also check it in aureport --tty, and its show the rendi keystroke.
Am i missing something ?
Hello,
i have been installed Splunk Apps ( Linux Auditd and Auditd Addons ) following your documentation in https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
Beside of that i also doing this following step.
But, after i do that. I can see root keystroke in User TTY view.
If, i use an other user ( example: rendi ).
I can not see rendi keystroke in User TTY view.
I am pretty use using enable=* in pam.d configuration.
I also check it in aureport --tty, and its show the rendi keystroke.
Am i missing something ?