Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Alert creation for 5 Unsuccessful Login attempt from same source and same destination?

rajuljain_mc
New Member
‎11-05-2017 11:00 PM

Sample log-
Cisco ACS Authentication Failed
Nov 3 08:21:13 REL-DC-MSTCRD-ACS CSCOacs_Failed_Attempts 0001982755 2 0 2017-11-03 08:21:13.484 +05:30 0038659009 5401 NOTICE Failed-Attempt:
Authentication failed, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=53, Device IP Address=10.150.0.5, Device Port=44041,
DestinationIPAddress=172.20.1.200, DestinationPort=49, UserName=mvparam, Protocol=Tacacs, RequestLatency=141, Type=Authentication, Action=Login,
Privilege-Level=15, Authen-Type=ASCII, Service=Enable, User=rajul, Port=39, Remote-Address=172.20.1.152, UserName=rajul,
AcsSessionID=REL-DC-MSTCRD-ACS/278522990/2009452, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII,
SelectedAccessService=IMC-Access, IdentityGroup=IdentityGroup:All Groups:IMC-L2G, FailureReason=22004 , Step=13013 , Step=15008 , Step=15004 ,
Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 ,
Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22004

Query-index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed"

Stuck after this query, help to write rule please?

0 Karma
Reply

hardikJsheth
Motivator
‎11-06-2017 08:48 AM

In case you want to take time in consideration as well to check for consecutive unsuccessful login attempts, either you can use timechar command or add bin command to the query as follows:

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | bin _time span=5m| stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-06-2017 06:56 AM

Hi

Can you please try this query ?

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5

EDIT: Or may be below query because I don't know which is your source and destination IPs, you can change your source and destionation IP field in given query.

    index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, "Device IP Address", UserName | where count > 5

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...