All Apps and Add-ons

Splunk App for Unix and Linux: How to search for data on account lockouts?

tmarlette
Motivator

I have deployed the UNIX app successfully to my environment, and the app is working well, however I don't see anything that would tell me about 'account lockouts'. I wanted to ask a couple of questions to the community to see if i'm missing something.

Question 1: Am i overlooking something within the UNIX app that I just just click on to see when a Unix account is locked out? a search that is already formulated?

Question 2: in trying to build my own 'account lockout' query, and I can see a series of events if I search for:

index=my_index bad password

the no quotes are deliberate, and all linux data goes to the same index. I can't however see in the event message where it say's 'bad password'.

I've also tried to search the

index=my_index sourcetype="Unix:UserAccounts"

for an instance, however I can't see anything there either. I assume it's my ignorance, so I figured I would ask and see if someone has already done this?

0 Karma
1 Solution

tmarlette
Motivator

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

View solution in original post

0 Karma

tmarlette
Motivator

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!