Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create alert for 5+ failed authentications for any single user

clwboscovs
Engager
‎08-17-2020 09:57 AM

I want to create an alert that monitors 5+ authentication failures for VPN login within an hour, but I'm not sure how to get the alert to monitor for 5+ failures for any single user.

Here's an example log:

[2020-08-17 11:40:10,550] [IG Audit Writer] [INFO ] [IG.AUDIT] [AUD7505] [VPN_AD_Group/user] The Radius server ise_servers rejected authentication for user VPN_AD_Group/user.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

impurush
Contributor
‎08-17-2020 12:26 PM

@clwboscovs 

Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?


index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5

 

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:26 PM 
index=yourindex rejected authentication 
| rex "\s(?<user>[\w\/]+)\.$"
| stats count by user 
| where count > 5
————————————
If this helps, give a like below.
Reply
Solved! Jump to solution
Solution

impurush
Contributor
‎08-17-2020 12:26 PM

@clwboscovs 

Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?


index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5

 

Reply
Solved! Jump to solution

clwboscovs
Engager
‎08-17-2020 12:33 PM

The field for the sourcetype is "user", so your solution works for me perfectly. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...