Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard for Successfully Login in Linux and Windows

shubhajits
New Member
‎09-10-2020 08:53 AM

Hi Splunk Community 

I am completely new on splunk. I somehow managed to deploy the splunk Universal Forwarder on many linux nodes and few windows systems. 

I am able to view  the /var/log/secure and /var/log/message that are getting indexed and the windows security event log on the created index.

I want a dashboard that shows information of the below :-

1. Number of Hosts where splunk forwarder is deployed (linux and windows separate).

2. Successfull and failed login.

3. Alert when root is logged in linux and Administrator login in windows.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2020 09:14 AM

Hi @shubhajits,

you're asking many easy things:

1)

to have the list of servers that are sending logs, you could run something like this:

| metasearch index=os or index=wineventlog
| stats count BY index

but in this case you have only the servers that are sending logs, if a server is missing you haven't it, but this is another question that you can search in Community.

2)

For successul or unsuccessful logins there's a problem, that every windows login generates around 10-12 login events (EventCode=4624) so the results could be non reliable.

Anyway, the search could be (for windows) something like this:

index=wineventlog EventCode=4624 OR EventCode=4625
| stats count BY EventCode

and for Linux, something like this:

search = index=os sourcetype=linux_secure NOT disconnect ("accepted password" OR "failed password")
| eval action=if(searchmatch("accepted password"),"Login","LogFail")
| stats count BY action

If you want all in one panel it's just a little bit complicate because you should create four eventtypes:

  • windows_login (index=wineventlog EventCode=4624)
  • windows_logfail (index=wineventlog EventCode=4625)
  • linux_login (index=os "accepted password")
  • linux_logfail (index=os "failed password")

using the above searches and associating to eventtypes LOGIN or LOGOUT tags, then you can run a simple search using tags:

tag=LOGIN OR tag=LOGFAIL
| stats count BY index tag

3)

About the alert for root or administrator, you have to search for the eventtypes windows_login or linux_login and the words root or administrator, something like this:

tag=LOGIN (root OR administrator)

 

Only one final hint: follow the Search Tutorial to understand SPL.

Ciao.

Giuseppe

0 Karma
Reply

lakshman239
Influencer
‎09-10-2020 09:11 AM

For dashboards, you would need to create the search matching your need and save it as a view. I would also suggest you completing https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html  and looking at Splunk dashboards example app and Splunk unix app in splunk base - https://splunkbase.splunk.com/app/273/  

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...