Solved: Splunk App for Unix and Linux: How to search for d...

tmarlette · ‎02-18-2015

I have deployed the UNIX app successfully to my environment, and the app is working well, however I don't see anything that would tell me about 'account lockouts'. I wanted to ask a couple of questions to the community to see if i'm missing something.

Question 1: Am i overlooking something within the UNIX app that I just just click on to see when a Unix account is locked out? a search that is already formulated?

Question 2: in trying to build my own 'account lockout' query, and I can see a series of events if I search for:

index=my_index bad password

the no quotes are deliberate, and all linux data goes to the same index. I can't however see in the event message where it say's 'bad password'.

I've also tried to search the

index=my_index sourcetype="Unix:UserAccounts"

for an instance, however I can't see anything there either. I assume it's my ignorance, so I figured I would ask and see if someone has already done this?

tmarlette · ‎03-13-2015

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

View solution in original post

tmarlette · ‎03-13-2015

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

Splunk App for Unix and Linux: How to search for data on account lockouts?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation