Creating a Splunk Alert off failed ssh pattern

technick · ‎06-06-2014

Hi All...

I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).

Example Data

Jun  5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=monitor
Jun  5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root
Jun  5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root

How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?

Thanks in advance 😃

lguinn2 · ‎06-06-2014

Try this search, where XYZ is the name of your sourcetype

sourcetype=XYZ "authentication failure"

Then save it as an alert with the following characteristics

choose Real-time search
Under "trigger condition," choose Number of hosts
Set "Greater than 2"
In "5 minutes"

Here are the docs: Define rolling-window alerts

Creating a Splunk Alert off failed ssh pattern

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Creating a Splunk Alert off failed ssh pattern

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor