All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I make the Splunk App for PCI Compliance count "last message repeated 2 times" on su authentication failure in /var/log/secure?

hylam
Contributor
‎06-28-2015 09:09 PM

/var/log/secure

Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost=  user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times

I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search

host=ecc2 `authentication(failure)`

The "authentication(failure)" should be a macro surrounded by backticks.

The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.

Reply

woodcock
Esteemed Legend
‎12-12-2015 07:37 PM

How about like this:

... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe

This will cause every event to have a field myCount that is correct.

0 Karma
Reply

hylam
Contributor
‎12-13-2015 04:38 AM

plz see my comment to the question here
https://answers.splunk.com/answers/334215/how-do-i-deal-with-linux-authlog-last-message-repe.html

0 Karma
Reply

srinathd
Contributor
‎06-28-2015 11:38 PM

Extract "authentication failure" into some field say "suFailure" then use transaction command like this

transaction suFailure maxspan=1800s | where eventcount >=5

0 Karma
Reply

hylam
Contributor
‎06-28-2015 11:46 PM

last message repeated 2 times <-- how can transaction event count work on this?

0 Karma
Reply

srinathd
Contributor
‎06-28-2015 11:58 PM

By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.

0 Karma
Reply

hylam
Contributor
‎06-29-2015 12:20 AM

when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...