topic Re: Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux) in Splunk Enterprise Security

Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

mdessus_splunk — Mon, 28 Sep 2020 19:22:47 GMT

For the ones who use the Unix addon for extracting authentication events for Enterprise Security, and some events are not recognized, mainly on Ubuntu Linux (not tested on other distribs), here's the one I've added. Feel free to correct/complement them.

To be added in etc/apps/Splunk_TA_nix/local/props.conf:

[source::/var/log/auth.log]
EXTRACT-app_and_dest = ^\w+ +\d+ \d\d:\d\d:\d\d (?<dest>\w+) (?<app>\S+)\[\d+\]
EXTRACT-ssh_details = (?<vendor_action>Failed|Accepted) \w+ for (invalid user )*(?<user>\S+) from (?<src>\d+\.\d+\.\d+\.\d+) port (?<src_port>\d+)
EXTRACT-sudo_open_details = ^\w+ +\d+ \d\d:\d\d:\d\d \w+ (?<app>sudo): pam_unix\(sudo:session\): (?<vendor_action>session \w+) for user (?<user>\w+) by (?<src_user>\w+)
LOOKUP-action_for_linux_auth = nix_action_lookup vendor_action OUTPUTNEW action

Re: Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

mdessus_splunk — Wed, 01 Apr 2015 21:15:47 GMT

The answer is in the question 🙂

Re: Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

ycourbe — Fri, 18 Aug 2017 13:08:38 GMT

I slightly changed EXTRACT-sudo_open_details so it also works with "su"

^\w+ \d+ \d{2}:\d{2}:\d{2} (?<src>.+) (?<app>\w+).*: pam_unix\(.+:session\): (?<vendor_action>session \w+) for user (?<user>\w+)

For the rest it works perfect with my RHEL. Thanks !