https://community.splunk.com/t5/Alerting/Why-is-my-real-time-search-correlation-for-SSH-detecting-false/m-p/157040#M2574 <P>Your problem is that the <CODE>sshd</CODE> returned from your subsearch appears to be matching the <CODE>sshd</CODE> in the name of the process, not the user name.</P> <P>To fix this, you need to <CODE>rex</CODE> your event into fields, assign the username to a field name, and then at the end of your subsearch, assign the result to that field name rather than <CODE>query</CODE>. That ought to get you what you want.</P> Fri, 24 Apr 2015 20:46:52 GMT aweitzman 2015-04-24T20:46:52Z https://community.splunk.com/t5/Alerting/Why-is-my-real-time-search-correlation-for-SSH-detecting-false/m-p/157039#M2573 <P>After searching for a bit, I can't find an exact fix to this issue--<BR /> I'm having some weird edge cases with a realtime search that we're using to alert on SSH logins.</P> <P>Under normal circumstances the search below triggers an alert if there is a successful login by a user after 4 failed logins in 5 minutes. Normally this works fine, however yesterday we showed brute force attempts from someone trying to log in as a user called "sshd". </P> <P>This caused the search to trigger for <EM>any</EM> users successfully logging in within 5 minutes of the attempt, I'm assuming because it interpeted their successful authentication attempts as successes by the "sshd" user.</P> <P>Is there any good way to modify my search to account for this?</P> <P>Search code:</P> <PRE><CODE>ssh* authenticated [search ssh* "authentication failure" | rex field=_raw "rhost=(?&lt;ipfrom&gt;.*) user=(?&lt;username&gt;.*)" | stats count by username | where count &gt;= 4 | rename username AS query | fields query ] </CODE></PRE> <P>Sanitized logs:</P> <PRE><CODE>Apr 23 14:15:55 hostX auth.debug&lt;39&gt;: sshd[12243]: debug1: monitor_child_preauth: bob has been authenticated by privileged process Apr 23 14:15:53 hostX authpriv.info&lt;86&gt;: sshd[12245]: pam_krb5(sshd:auth): user bob authenticated as bob@myhost.net Apr 23 14:12:27 hostX authpriv.notice&lt;85&gt;: sshd[15524]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.100.100.555 user=sshd Apr 23 14:12:13 hostX authpriv.notice&lt;85&gt;: sshd[15524]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.100.100.555 user=sshd Apr 23 14:11:44 hostX authpriv.notice&lt;85&gt;: sshd[15440]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.100.100.555 user=sshd Apr 23 14:10:32 hostX authpriv.notice&lt;85&gt;: sshd[15440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.100.100.555 user=sshd </CODE></PRE> Fri, 24 Apr 2015 19:13:56 GMT https://community.splunk.com/t5/Alerting/Why-is-my-real-time-search-correlation-for-SSH-detecting-false/m-p/157039#M2573 reljssplunk 2015-04-24T19:13:56Z https://community.splunk.com/t5/Alerting/Why-is-my-real-time-search-correlation-for-SSH-detecting-false/m-p/157040#M2574 <P>Your problem is that the <CODE>sshd</CODE> returned from your subsearch appears to be matching the <CODE>sshd</CODE> in the name of the process, not the user name.</P> <P>To fix this, you need to <CODE>rex</CODE> your event into fields, assign the username to a field name, and then at the end of your subsearch, assign the result to that field name rather than <CODE>query</CODE>. That ought to get you what you want.</P> Fri, 24 Apr 2015 20:46:52 GMT https://community.splunk.com/t5/Alerting/Why-is-my-real-time-search-correlation-for-SSH-detecting-false/m-p/157040#M2574 aweitzman 2015-04-24T20:46:52Z