- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Scripting, Search, Passing Vars
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scripting, Search, Passing Vars
Greetings,
I am trying to setup up Splunk to count the failed login attempts on our firewall and then run a script that will login to the firewall and block said IP address.
Currently, I have it setup to capture failed login attempts and run the default script (echo.sh) for testing purposes.
My questions is, how do I count and pass the IP address after “from” in the log below?
Dec 27 15:37:36 192.168.4.1 seclogin: [2012 Dec 27 15:37:36] UTM5 Login failed: invalid user sdhsdh from 192.168.4.3
Do I have to create a field type or use the field extractor? How does either, affect Splunks outputs listed here: http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you already have the src_ip field being extracted, you need a stats command to build a count. Try the following search over a relevant time period:-
seclogin: "Login failed" "invalid user" | stats count by src_ip | where count>20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this in another thread, seems to have done the trick.
\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
thx for ur help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex should be generic and accept any numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs only have one IP address in them (192.168.4.3), by using the GUI will it account for IP addresses that vary in the individual octet? For example, 17.45.252.1? etc? Or do i need to edit the rex syntax? I receive an error message for entering IP addresses that are not found within the log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The interactive field extractor can do this for you.
There is a quick 3min video here http://www.splunk.com/view/SP-CAAADUY
and the docs are here http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/ExtractfieldsinteractivelywithIFX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob,
No I have not extracted the src_ip field. Am I to define a regular expression to extract the IP or is there a more friendly GUI approach?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
