Apr 25 17:13:28 www2 sshd[27718]: [ID 800047 auth.debug] debug1: no match: WinSCP_release_4.3.2
[..within 5 secs..]
Apr 25 17:13:29 www2 sshd[27718]: [ID 800047 auth.info] Failed none for john from 10.2.43.186 port 1358 ssh2
So if winscp is below 4.0.4 get an alert saying john is using older release. Because that is
sshd2 process 27718 belongs to john.
How do I correlate between two events, 5+ secs apart, based on the process id and then generate an appropriate alert if a the number portion of the string is below 4.0.4?
Alert will always go to sysadmin@example.com.
looks like this gave me what I wanted..
source="sshd.log" | rex field=raw "sshd[(?
any suggestion on how to improve it appreciated
ok so I "improved" the search
source="sshd.log" | rex field=raw "sshd[(?
looking for a suggestion to improve this search.
So this is where I am now
http://picpaste.com/pics/splunk-Wz9dmCB4.1303775659.png
I like to generate a table output instead
user winscp_release
pgaul 4.1.8 or even WinSCP_release_4.1.8
with the help of Ayn from #splunk I got this far
source="sshd.log" | rex field=_raw "sshd[(?
So that is a good start
Also, a separate search like this works, which displays the events where winscp version
is lower than 4.0.4
source="sshd.log" | rex field=raw
"version WinSCP_release(?
(?
eval version=major_version.minor_version1.minor_version2 | where version < 419
Now if both events has the same pid then display the event that happens in next 60s
with same pid and has the username displayed like below
Here is an exerpt of the log
Here is the result should look like
Apr 20 16:17:11 www2 sshd[10895]: [ID 800047 auth.debug] debug1: userauth-request for user pgaul service ssh-connection method none
because user pgaul using an winscp whose version is higher than 4.2.0