- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How to create an alert to trigger when admins ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I want to monitor admins by triggering an alert when an admin makes a connection to servers not from their own IPs. How I can do that? The question is, how to create an independent whitelist of IPs for each admin (not in search string) and match it with the logs?
I would be grateful for your ideas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on how frequently this IP list will change. You could manage the list of IP addresses in a lookup file (ie, a CSV) or you could have a scripted lookup that pulls the address list from an external source.
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Lookup
If you were using a lookup file, you'd probable have it formatted something like this, in a file called admin_ip.csv:
admin, allowed_ip
joe, 1.2.3.4
bob, 2.3.4.5
Then use a subsearch to look for your admin's activity. Substitute eventtype=login for whatever search criteria you use to match a login event. This also assume that your login event has a field called admin. If not, rename the admin field in the subsearch to whatever the username field is called in your login event. Then lookup the list of allowed IP addresses, see if they match the IP address in the event (assuming its in the ip field), and return the list of events.
eventtype=login [| inputlookup admin_ip | dedup admin | fields admin] | lookup admin_ip admin OUTPUT allowed_ip | eval allowed=if(ip==allowed_ip,"Y","N") | where allowed=="N"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on how frequently this IP list will change. You could manage the list of IP addresses in a lookup file (ie, a CSV) or you could have a scripted lookup that pulls the address list from an external source.
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Lookup
If you were using a lookup file, you'd probable have it formatted something like this, in a file called admin_ip.csv:
admin, allowed_ip
joe, 1.2.3.4
bob, 2.3.4.5
Then use a subsearch to look for your admin's activity. Substitute eventtype=login for whatever search criteria you use to match a login event. This also assume that your login event has a field called admin. If not, rename the admin field in the subsearch to whatever the username field is called in your login event. Then lookup the list of allowed IP addresses, see if they match the IP address in the event (assuming its in the ip field), and return the list of events.
eventtype=login [| inputlookup admin_ip | dedup admin | fields admin] | lookup admin_ip admin OUTPUT allowed_ip | eval allowed=if(ip==allowed_ip,"Y","N") | where allowed=="N"
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
