Tracking command history can provide critical insights for system auditing and security monitoring. In this guide, we’ll walk you through how to onboard .bash_history files into Splunk, configure proper permissions, and make sure the data is readable and structured — all while keeping it secure and accessible.

🧭 Objective

Enable the Splunk Universal Forwarder (typically running as splunk or splunkfwd) to read .bash_history files from all user accounts, including root, and ingest them into Splunk with clean parsing and field extractions.

✅ Step 1: Grant Read Access to .bash_history


Login as root:

First, make sure the user running Splunk has read access to all users’ .bash_history files.

setfacl -R -m u:splunkfwd:r /home/*/.bash_history
🔐 This sets ACLs (Access Control Lists) to provide read permission to the splunkfwd user.
Verify the permissions:
getfacl /home/*/.bash_history

You should see that splunkfwd (or your Splunk user) has r-- permission.

👤 Step 2: Switch to the Splunk User

Switch to the user that runs Splunk (usually splunk):

sudo su – splunk

This ensures you perform the following configuration changes in the right environment.

🛠️ Step 3: Monitor .bash_history Files with inputs.conf

Navigate to the TA (typically Splunk_TA_nix) and create or edit the inputs.conf file:

cd /opt/splunk/etc/apps/Splunk_TA_nix/local
vi inputs.conf
Add the following stanzas:
[monitor:///home/*/.bash_history]
disabled = false
index = os
sourcetype = bash_history

[monitor:///root/.bash_history]
disabled = false
index = os
sourcetype = bash_history

📁 This tells Splunk to monitor history files for all users and the root user as well.

🧩 Step 4: Configure Field Behavior in props.conf

Now edit or create props.conf in the same folder:

[bash_history]
BREAK_ONLY_BEFORE = #(?=\d+)
CHARSET = UTF-8
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIME_FORMAT = %s
TIME_PREFIX = ^#
category = Custom
disabled = false
REPORT-bhist = bash_user,bash_user_root
FIELDALIAS-dest_for_history = host as dest
EXTRACT-command = #\d+\n(?<bash_command>[\/\w\-\s]*)
⚙️ This config helps break and extract timestamps and commands from .bash_history.

🧪 Step 5: Add Field Extractions in transforms.conf

Now let’s extract usernames based on the file paths. Create or edit transforms.conf:

[bash_user]
SOURCE_KEY = source
REGEX = ^/home/([^/]+)/
FORMAT = user_name::$1

[bash_user_root]
SOURCE_KEY = source
REGEX = ^/(root)/
FORMAT = user_name::$1

🔎 These stanzas help label each command with the correct user (including root).

🔁 Step 6: Restart Splunk

Apply your changes by restarting Splunk from the Splunk user:

/opt/splunk/bin/splunk restart

⏱️ Step 7: Enable Timestamps in .bash_history

Timestamps make it easier to track when each command was run.

Switch to root and update the bash configuration:

sudo su – root
vi /etc/bashrc
Add this line at the end:
export HISTTIMEFORMAT=”%F %T “
Then apply the change:
source /etc/bashrc

Now, each command logged in .bash_history will include a readable timestamp.

✅ Step 8: Validate in Splunk

Head to Splunk and run this search to check your data:

index=os sourcetype=bash_history

Verify:

  • Command timestamps (_time)

  • Extracted bash_command

  • Correct user_name field

🧠 Final Thoughts

By onboarding .bash_history into Splunk, you’re not just ingesting logs — you’re enabling deep visibility into user activity, command behavior, and potential anomalies on your systems. It’s a low-cost, high-impact addition to your security monitoring stack.
If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.
Happy Splunking 😉