Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert to trigger when admins make a connection to a server not from their own IPs?

kalianov
Path Finder
‎02-18-2016 06:13 AM

Hi

I want to monitor admins by triggering an alert when an admin makes a connection to servers not from their own IPs. How I can do that? The question is, how to create an independent whitelist of IPs for each admin (not in search string) and match it with the logs?

I would be grateful for your ideas.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎02-18-2016 08:35 AM

It depends on how frequently this IP list will change. You could manage the list of IP addresses in a lookup file (ie, a CSV) or you could have a scripted lookup that pulls the address list from an external source.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Lookup

If you were using a lookup file, you'd probable have it formatted something like this, in a file called admin_ip.csv:

admin, allowed_ip
joe, 1.2.3.4
bob, 2.3.4.5

Then use a subsearch to look for your admin's activity. Substitute eventtype=login for whatever search criteria you use to match a login event. This also assume that your login event has a field called admin. If not, rename the admin field in the subsearch to whatever the username field is called in your login event. Then lookup the list of allowed IP addresses, see if they match the IP address in the event (assuming its in the ip field), and return the list of events.

eventtype=login [| inputlookup admin_ip | dedup admin | fields admin] | lookup admin_ip admin OUTPUT allowed_ip | eval allowed=if(ip==allowed_ip,"Y","N") | where allowed=="N"

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎02-18-2016 08:35 AM

It depends on how frequently this IP list will change. You could manage the list of IP addresses in a lookup file (ie, a CSV) or you could have a scripted lookup that pulls the address list from an external source.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Lookup

If you were using a lookup file, you'd probable have it formatted something like this, in a file called admin_ip.csv:

admin, allowed_ip
joe, 1.2.3.4
bob, 2.3.4.5

Then use a subsearch to look for your admin's activity. Substitute eventtype=login for whatever search criteria you use to match a login event. This also assume that your login event has a field called admin. If not, rename the admin field in the subsearch to whatever the username field is called in your login event. Then lookup the list of allowed IP addresses, see if they match the IP address in the event (assuming its in the ip field), and return the list of events.

eventtype=login [| inputlookup admin_ip | dedup admin | fields admin] | lookup admin_ip admin OUTPUT allowed_ip | eval allowed=if(ip==allowed_ip,"Y","N") | where allowed=="N"
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...