https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200115#M14798 <P>“err=49” is the OpenLDAP error code for unauthorized login.</P> <P>Mar 21 14:43:51 icns01 slapd[2344]: conn=255737 op=0 RESULT tag=97 err=49 text=</P> <P>Mar 21 14:43:52 iccontroller01 keystone-pub-api: 192.168.1.2, 192.168.1.1 - - [21/Mar/2016:14:43:51 +0800] "POST /v2.0/tokens HTTP/1.1" 401 114 "-" "python-keystoneclient"</P> <P>Mar 21 14:43:51 iccontroller02 horizon: 203.120.232.223 - - [21/Mar/2016:14:43:51 +0800] "POST /auth/login/ HTTP/1.1" 200 1239 "<A href="https://hello.hk/auth/login/">https://hello.hk/auth/login/</A>" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0</P> <P>i use datetime to join that there is one second difference lead join unsuccessful,<BR /> after exclude seconds to join , it succeed to join,</P> <P>however, if i argue that there is difference account and log in the same minute, then the join result will have problem</P> Fri, 29 Jul 2016 07:04:01 GMT cyberportnoc 2016-07-29T07:04:01Z https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200115#M14798 <P>“err=49” is the OpenLDAP error code for unauthorized login.</P> <P>Mar 21 14:43:51 icns01 slapd[2344]: conn=255737 op=0 RESULT tag=97 err=49 text=</P> <P>Mar 21 14:43:52 iccontroller01 keystone-pub-api: 192.168.1.2, 192.168.1.1 - - [21/Mar/2016:14:43:51 +0800] "POST /v2.0/tokens HTTP/1.1" 401 114 "-" "python-keystoneclient"</P> <P>Mar 21 14:43:51 iccontroller02 horizon: 203.120.232.223 - - [21/Mar/2016:14:43:51 +0800] "POST /auth/login/ HTTP/1.1" 200 1239 "<A href="https://hello.hk/auth/login/">https://hello.hk/auth/login/</A>" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0</P> <P>i use datetime to join that there is one second difference lead join unsuccessful,<BR /> after exclude seconds to join , it succeed to join,</P> <P>however, if i argue that there is difference account and log in the same minute, then the join result will have problem</P> Fri, 29 Jul 2016 07:04:01 GMT https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200115#M14798 cyberportnoc 2016-07-29T07:04:01Z https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200116#M14799 <P>You need to explain which data is from which index/sourcetype and also share the search(es) that you are using.</P> Sun, 31 Jul 2016 13:26:40 GMT https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200116#M14799 woodcock 2016-07-31T13:26:40Z https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200117#M14800 <P>Instead of attempting to join, you may want to try your hand with the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction">transaction</A> command. All fields from all events grouped together would then be on the grouped event. You have finer control over the length of a transaction for example using <CODE>maxspan=2s</CODE> instead of 1 second or 1 minute resolution. You can also use <CODE>startswith=</CODE> and <CODE>endswith=</CODE> and <CODE>maxevents=</CODE> to help with shaping how the events should be grouped together. </P> <P>If you have control over the log formats and data being passed between systems, you may want to alter logging to include more information at each layer (possibly adding username at more layers, or possibly even a generated correlation id)... this will help your transaction (or stats or join) results be more accurate as you correlate disparate logs, but obviously that's a function of the level of control you have over the source systems and their interactions.</P> Sun, 31 Jul 2016 18:48:48 GMT https://community.splunk.com/t5/Security/how-to-relate-unsuccessful-login-id-and-public-ip-address-of/m-p/200117#M14800 acharlieh 2016-07-31T18:48:48Z