This Splunk config will help you monitor which software packages are being installed on your critical Linux servers.
Watch for RPM packages being installed on some critical Linux Centos/RHEL servers, it could be an indication of someone not following change control or you could use it to monitoring change control and many other use cases to monitor such an event.
Before configuring the below you will need to ensure you have setup Splunk, indexes, uf’s and have some test Linux servers. You also need to have Splunk admin level skills, or be an experienced Splunker.
This config was performed on Centos 7.x servers and Splunk 7.x
- A few fields were created using regex, this was done after analysing the logs
- New tags and event types are created for this config.
Fields: action/ software
Tags: Installed /installed
Configure an inputs / eventypes / tags to monitor the yum log file:
inputs.conf (Deploy to the UF/Linux Server)
whitelist = (yum.log)
sourcetype = linux_yum
index = syslog
disabled = 0
props.conf (Deploy to the Search Head / Indexers)
TIME_FORMAT=%b %d %H:%M:%S
KV_MODE = auto
NO_BINARY_CHECK = true
TRUNCATE = 9999
#Extract and action field which is Installed and the software field which is the RPM package installed.
EXTRACT-action = ^(?:[^ \n]* )\d+\s\d+:\d+:\d+\s(?P<action>\w+)
EXTRACT-software = ^(?:[^ \n]* )\d+\s\d+:\d+:\d+\sInstalled:\s\d+:(?P<software>.*)
#normalise the action field as status
FIELDALIAS-action = action as status
Add the below to add event types and tags for the linux_yum sourcetype, this will help with CIM model compliance.
eventtypes.conf (Deploy to the Search Head / Indexers)
search = sourcetype= sourcetype=linux_yum
#tags = installed Installed
tags.conf (Deploy to the Search Head / Indexers)
Installed = enabled
installed = enabled
After the data has been ingested, install some test RPM packages and run the below search, you should get a similar output as in the screenshot.
index=syslog sourcetype=linux_yum action=”Installed”
| rename software as installed_software_rpm
| fields _time, host, action, installed_software_rpm
| eval date=strftime(_time, “%d/%m/%Y %H:%M:%S”)
| stats count by date, action, host, installed_software_rpm