Alerting
Highlighted

How do you set up an alert for a failed password attempt?

Explorer

Hello,

I am trying to set up alerts on failed password attempts for any user on my *nix box.

Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.

index="main" "Failed password for" OR "authentication failure"
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser

Below is my current trigger condition look like.

Alert type = Real-time

Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes

Trigger Once

Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.

Thanks!

Regards,

0 Karma
Highlighted

Re: How do you set up an alert for a failed password attempt?

SplunkTrust
SplunkTrust

Don't set the alert to "real-time". Set it to "Scheduled" then "Cron schedule" and * * * * * which will run it every minute.

All the best

View solution in original post

Highlighted

Re: How do you set up an alert for a failed password attempt?

Explorer

For that I think I may need to change my condition in the query, please correct my if I am wrong

index="main" "Failed password for" OR "authentication failure"
| bin _time span=10m
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | where count >= 1

I have done the following alert
*/10 * * * *

Run in every 10 minutes and if counts are equal to or more than 1 in 10 minutes of time span send the alert

Please advise!

thanks,

0 Karma
Highlighted

Re: How do you set up an alert for a failed password attempt?

SplunkTrust
SplunkTrust

you don't need to use bin command. Your original query will work fine for any time period you want to set. Just be sure to use the "scheduled" and then set the "time-period" in the alert configuration to match the run frequency.

0 Karma
Highlighted

Re: How do you set up an alert for a failed password attempt?

Explorer

I have set the Time Range 15 minutes and Run on Cron Schedule with * * * * * every minute. Do I also have to do something in Trigger Conditions or leave it default?

So basically it checks in 15 minutes time range and run Cron job every minute and make sure if there are any failed login attempts in last 15 minutes? Please correct me if I am wrong.

0 Karma
Highlighted

Re: How do you set up an alert for a failed password attempt?

SplunkTrust
SplunkTrust

It will run every minute, and search the past 15 minutes. This means you will get 15 emails for every event. So you need to set the time range the same as the run frequency. Set trigger conditions to "Trigger once if results > 0 "

0 Karma
Highlighted

Re: How do you set up an alert for a failed password attempt?

Explorer

It worked perfectly!!!!

Thank you sir!

0 Karma