All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I make the Splunk App for PCI Compliance count "last message repeated 2 times" on su authentication failure in /var/log/secure?

hylam
Contributor
‎06-28-2015 09:09 PM

/var/log/secure

Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost=  user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times

I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search

host=ecc2 `authentication(failure)`

The "authentication(failure)" should be a macro surrounded by backticks.

The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.

Reply

woodcock
Esteemed Legend
‎12-12-2015 07:37 PM

How about like this:

... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe

This will cause every event to have a field myCount that is correct.

0 Karma
Reply

hylam
Contributor
‎12-13-2015 04:38 AM

plz see my comment to the question here
https://answers.splunk.com/answers/334215/how-do-i-deal-with-linux-authlog-last-message-repe.html

0 Karma
Reply

srinathd
Contributor
‎06-28-2015 11:38 PM

Extract "authentication failure" into some field say "suFailure" then use transaction command like this

transaction suFailure maxspan=1800s | where eventcount >=5

0 Karma
Reply

hylam
Contributor
‎06-28-2015 11:46 PM

last message repeated 2 times <-- how can transaction event count work on this?

0 Karma
Reply

srinathd
Contributor
‎06-28-2015 11:58 PM

By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.

0 Karma
Reply

hylam
Contributor
‎06-29-2015 12:20 AM

when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
li.common.scroll-to.top