By default, in most Linux distros, OpenVPN log output goes to the authlog, which is usually at /var/log/auth.log, as such it is trivial to add them to Splunk monitoring:
Splunk:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/auth.log -index main -sourcetype OpenSSH
Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log/auth.log]
disabled = false
index = main
sourcetype = OpenSSH
REFERENCES:
I’ve discussed the use of SSH in several posts in the past, but while recently building a new environment, I realized that I’ve never indicated how the service itself should be installed.
INSTALLATION:
sudo apt-get install openssh-server
If you desire to change any of the default configuration such as port or cyphers…
sudo vi /etc/ssh/ssh_config
NOTE: If you intend to access the server from the Internet, you will have to verify that port forwarding is enabled on your routers and firewalls.
REFERENCES: