Alerting

Creating a Splunk Alert off failed ssh pattern

Explorer

Hi All...

I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).

Example Data

Jun  5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=monitor
Jun  5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root
Jun  5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186  user=root

How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?

Thanks in advance 😃

Tags (4)
0 Karma

Legend

Try this search, where XYZ is the name of your sourcetype

sourcetype=XYZ "authentication failure"

Then save it as an alert with the following characteristics

  • choose Real-time search
  • Under "trigger condition," choose Number of hosts
  • Set "Greater than 2"
  • In "5 minutes"

Here are the docs: Define rolling-window alerts

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!