All Apps and Add-ons

How can I make the Splunk App for PCI Compliance count "last message repeated 2 times" on su authentication failure in /var/log/secure?

hylam
Contributor

/var/log/secure

Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost=  user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times

I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search

host=ecc2 `authentication(failure)`

The "authentication(failure)" should be a macro surrounded by backticks.

The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.

woodcock
Esteemed Legend

How about like this:

... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe

This will cause every event to have a field myCount that is correct.

0 Karma

hylam
Contributor
0 Karma

srinathd
Contributor

Extract "authentication failure" into some field say "suFailure" then use transaction command like this

transaction suFailure maxspan=1800s | where eventcount >=5

0 Karma

hylam
Contributor

last message repeated 2 times <-- how can transaction event count work on this?

0 Karma

srinathd
Contributor

By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.

0 Karma

hylam
Contributor

when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?

0 Karma