Solved: unix_TA lastlog.sh match for alert

rafaelruales · ‎03-08-2021

Hi,

I am trying to figure out how to create an alert when a specific user appears in the output of the lastlog.sh script.

The output is a nicely formatted table as follows:

Username	From	Latest
user1	1.1.1.1	fri Mar 4 2:20

I am new to splunk, I cannot figure out how I would create a query that would model something like an object where I can loop through everything under the username column and then do a lookup to see if user1 exists.

Any help would be appreciated, the ultimate goal is for the query to show if "user1" appears in the output of:

host=our_server sourcetype=lastlog

any links to documentation for this would be helpful too

rafaelruales · ‎03-16-2021

I was able to get this going after some research using a query similar to this and setting the alert to trigger if the results of the search is greater than 0.

host=myHostHere sourcetype=lastlog
| multikv fields USERNAME
| where USERNAME = "user1" OR USERNAME = "user2"
| table host USERNAME

View solution in original post

rafaelruales · ‎03-16-2021

I was able to get this going after some research using a query similar to this and setting the alert to trigger if the results of the search is greater than 0.

host=myHostHere sourcetype=lastlog
| multikv fields USERNAME
| where USERNAME = "user1" OR USERNAME = "user2"
| table host USERNAME

unix_TA lastlog.sh match for alert

alert action

alert condition

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?