Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

alert based on data on previous and new event

vadud3
Path Finder
‎04-25-2011 12:29 PM

Apr 25 17:13:28 www2 sshd[27718]: [ID 800047 auth.debug] debug1: no match: WinSCP_release_4.3.2

[..within 5 secs..]

Apr 25 17:13:29 www2 sshd[27718]: [ID 800047 auth.info] Failed none for john from 10.2.43.186 port 1358 ssh2

So if winscp is below 4.0.4 get an alert saying john is using older release. Because that is
sshd2 process 27718 belongs to john.

How do I correlate between two events, 5+ secs apart, based on the process id and then generate an appropriate alert if a the number portion of the string is below 4.0.4?

Alert will always go to sysadmin@example.com.

Tags (1)
0 Karma
Reply

vadud3
Path Finder
‎04-25-2011 04:45 PM

looks like this gave me what I wanted..

source="sshd.log" | rex field=raw "sshd[(?\d+)]: " | transaction pid maxspan=60s | search winscp | rex field=_raw "version WinSCP_release(?\d).(?\d).(?\d)" | eval version=major_version.minor_version1.minor_version2 | where version < 423

any suggestion on how to improve it appreciated

0 Karma
Reply

vadud3
Path Finder
‎04-26-2011 08:41 AM

ok so I "improved" the search

source="sshd.log" | rex field=raw "sshd[(?\d+)]: " | transaction pid maxspan=60s | search winscp or accepted | rex field=_raw "version WinSCP_release(?\d).(?\d).(?\d)" | eval version=majv.minv1.minv2 | where version < 423 | rex "for (?[^ ]+) from" | eval ver=majv.".".minv1.".".minv2 | eval date=date_month."/".date_mday."/".date_year| table user ver date

looking for a suggestion to improve this search.

0 Karma
Reply

vadud3
Path Finder
‎04-25-2011 04:56 PM

So this is where I am now

http://picpaste.com/pics/splunk-Wz9dmCB4.1303775659.png

I like to generate a table output instead

user winscp_release

pgaul 4.1.8 or even WinSCP_release_4.1.8

0 Karma
Reply

vadud3
Path Finder
‎04-25-2011 02:25 PM

with the help of Ayn from #splunk I got this far

source="sshd.log" | rex field=_raw "sshd[(?\d+)]: " | transaction pid

So that is a good start

Also, a separate search like this works, which displays the events where winscp version
is lower than 4.0.4

source="sshd.log" | rex field=raw
"version WinSCP_release(?\d).(?\d).
(?\d)" |
eval version=major_version.minor_version1.minor_version2 | where version < 419

Now if both events has the same pid then display the event that happens in next 60s
with same pid and has the username displayed like below

Here is an exerpt of the log

http://pastebin.com/WNtyaJDN

Here is the result should look like

Apr 20 16:17:11 www2 sshd[10895]: [ID 800047 auth.debug] debug1: userauth-request for user pgaul service ssh-connection method none

because user pgaul using an winscp whose version is higher than 4.2.0

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...