Despite having the Linux Auditd app configured properly, the UserTTY tab doesn't return anything:
[|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] type="USER_TTY" host=* user=* ses=* | lookup posix_identities uid OUTPUT user AS effective_user | rename ses as session | table _time host user session effective_user keystrokes | sort 0 +_time
doesn't return anything.
But
[|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] type="TTY" host=* user=* ses=* | lookup posix_identities uid OUTPUT user AS effective_user | rename ses as session | table _time host user session effective_user keystrokes | sort 0 +_time
does; in fact:
index=main sourcetype=linux:audit | stats count by type
returns (replaced \n with space):
ANOM_ABEND BPRM_FCAPS CONFIG_CHANGE CRED_ACQ CRED_DISP CRED_REFR CWD DAEMON_END DAEMON_START EXECVE LOGIN PATH PROCTITLE SERVICE_START SERVICE_STOP SYSCALL TTY USER_ACCT USER_AUTH USER_CMD USER_END USER_START
Let me know.
↧