All Apps and Add-ons

How can I make the Splunk App for PCI Compliance count "last message repeated 2 times" on su authentication failure in /var/log/secure?

hylam
Contributor

/var/log/secure

Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost=  user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times

I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search

host=ecc2 `authentication(failure)`

The "authentication(failure)" should be a macro surrounded by backticks.

The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.

woodcock
Esteemed Legend

How about like this:

... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe

This will cause every event to have a field myCount that is correct.

0 Karma

hylam
Contributor
0 Karma

srinathd
Contributor

Extract "authentication failure" into some field say "suFailure" then use transaction command like this

transaction suFailure maxspan=1800s | where eventcount >=5

0 Karma

hylam
Contributor

last message repeated 2 times <-- how can transaction event count work on this?

0 Karma

srinathd
Contributor

By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.

0 Karma

hylam
Contributor

when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...