Creating a Splunk Alert off failed ssh pattern

technick · ‎06-06-2014

Hi All...

I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).

Example Data

Jun  5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=monitor
Jun  5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root
Jun  5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root

How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?

Thanks in advance 😃

lguinn2 · ‎06-06-2014

Try this search, where XYZ is the name of your sourcetype

sourcetype=XYZ "authentication failure"

Then save it as an alert with the following characteristics

choose Real-time search
Under "trigger condition," choose Number of hosts
Set "Greater than 2"
In "5 minutes"

Here are the docs: Define rolling-window alerts

Creating a Splunk Alert off failed ssh pattern

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Creating a Splunk Alert off failed ssh pattern

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud