I need to create an alert that shows all successful logins to ios devices that made changes to the config file and the changes made. I can get all the config changes made on the ios device since I have archive logging turned on (sourcetype="cisco:ios" eventtype=cisco_ios-cfglog_loggedcmd).
However, I would like to get the ip address of any host that successfully logs into my device and the changes made to my config file in one fell.
All help will be very much appreciated.
First, find a single event like you are describing, that happened in your real world data.
Second, determine the characteristics of that event, what words or specifications you can use so that you pull that type of event, and only that type of event.
Third, find out if everything that you need is on that one type of event, or if you need to collect data from multiple events that happen around the same time in order to answer your questions about the events.
Fourth, mock up some non-confidential data for the one, two, three types of events, and post a new question asking, "how can I extract this sample data and roll these all together in order to get a report that looks like this sample report."
Then we can help you a LOT!
The log results on config file changes does not pull the ip address of the person who made those change/s.
Using an OR operator, I pulled the two eventtypes I was interested in (successful logins and config changes). I got all users who had successful logged in or changed a config file (user = "*" mnemonic = "login_success" or mnemonic ="config change"). I excluded all rows where there was no config change (| where command !=null). I grouped the result in a transaction (.. | transaction mnemonic = "login_success") and finally piped that into a table.
It was a long about way of doing it I suppose but it works just fine.
Happy to be of assistance. Upvote for posting your solution... a lot of people may be helped when they stumble across this later.
Not sure if transaction
is necessary for this, though, if you have only two records for each happening, and if you know a number of fields that uniquely join the two records, you can do something like this:
| table (the fields you care about from any record)
| stats values(*) as * by (the fields that join the record)
First, find a single event like you are describing, that happened in your real world data.
Second, determine the characteristics of that event, what words or specifications you can use so that you pull that type of event, and only that type of event.
Third, find out if everything that you need is on that one type of event, or if you need to collect data from multiple events that happen around the same time in order to answer your questions about the events.
Fourth, mock up some non-confidential data for the one, two, three types of events, and post a new question asking, "how can I extract this sample data and roll these all together in order to get a report that looks like this sample report."
Then we can help you a LOT!
Even though your answer didn't solve the problem, it did give me a direction to go in, so I will accept it.