I've got a splunkforwarder installed on a server. This server is also logging it's commands via auditd.
When I do something like "sudo su -", auditd captures the output, but doesn't expose passwords. An example:
type=USER_AUTH msg=audit(1469642237.076:4664554): user pid=29165 uid=565 auid=565 ses=225532 msg='op=PAM:authentication acct="ME" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/14 res=failed'
However, the splunkfowarder gives much more information, including the password you type on the command line. This is a pretty straight forward install of the forwarder - no fancy stuff going on. How can I use the splunk forwarder without exposing users passwords, like auditd does?
Thanks in advance.
↧