Creating a Splunk Alert off failed ssh pattern

technick · ‎06-06-2014

Hi All...

I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).

Example Data

Jun  5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=monitor
Jun  5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root
Jun  5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root

How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?

Thanks in advance 😃

lguinn2 · ‎06-06-2014

Try this search, where XYZ is the name of your sourcetype

sourcetype=XYZ "authentication failure"

Then save it as an alert with the following characteristics

choose Real-time search
Under "trigger condition," choose Number of hosts
Set "Greater than 2"
In "5 minutes"

Here are the docs: Define rolling-window alerts

Creating a Splunk Alert off failed ssh pattern

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20. Learn More or Register Now >

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >