Alerting

get all ip address that connect to ios devices and make config changes

keronedave
Explorer

I need to create an alert that shows all successful logins to ios devices that made changes to the config file and the changes made. I can get all the config changes made on the ios device since I have archive logging turned on (sourcetype="cisco:ios" eventtype=cisco_ios-cfglog_loggedcmd).

However, I would like to get the ip address of any host that successfully logs into my device and the changes made to my config file in one fell.

All help will be very much appreciated.

0 Karma
1 Solution

DalJeanis
Legend

First, find a single event like you are describing, that happened in your real world data.

Second, determine the characteristics of that event, what words or specifications you can use so that you pull that type of event, and only that type of event.

Third, find out if everything that you need is on that one type of event, or if you need to collect data from multiple events that happen around the same time in order to answer your questions about the events.

Fourth, mock up some non-confidential data for the one, two, three types of events, and post a new question asking, "how can I extract this sample data and roll these all together in order to get a report that looks like this sample report."

Then we can help you a LOT!

View solution in original post

0 Karma

keronedave
Explorer

The log results on config file changes does not pull the ip address of the person who made those change/s.

Using an OR operator, I pulled the two eventtypes I was interested in (successful logins and config changes). I got all users who had successful logged in or changed a config file (user = "*" mnemonic = "login_success" or mnemonic ="config change"). I excluded all rows where there was no config change (| where command !=null). I grouped the result in a transaction (.. | transaction mnemonic = "login_success") and finally piped that into a table.

It was a long about way of doing it I suppose but it works just fine.

DalJeanis
Legend

Happy to be of assistance. Upvote for posting your solution... a lot of people may be helped when they stumble across this later.

Not sure if transaction is necessary for this, though, if you have only two records for each happening, and if you know a number of fields that uniquely join the two records, you can do something like this:

| table (the fields you care about from any record)
| stats values(*) as * by (the fields that join the record)
0 Karma

DalJeanis
Legend

First, find a single event like you are describing, that happened in your real world data.

Second, determine the characteristics of that event, what words or specifications you can use so that you pull that type of event, and only that type of event.

Third, find out if everything that you need is on that one type of event, or if you need to collect data from multiple events that happen around the same time in order to answer your questions about the events.

Fourth, mock up some non-confidential data for the one, two, three types of events, and post a new question asking, "how can I extract this sample data and roll these all together in order to get a report that looks like this sample report."

Then we can help you a LOT!

0 Karma

keronedave
Explorer

Even though your answer didn't solve the problem, it did give me a direction to go in, so I will accept it.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...