Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching for failed file accesses from linux audit data

chadroberts
Path Finder
‎04-21-2011 07:05 AM

In my test environment I have several Windows and Linux systems using splunk forwarder to send audit logs to the main splunk server. We have a requirement to detect and investigate failed accesses to security-relevant objects (SROs), which is basically a list of files or directories that we specify. Detecting failed access to SROs with Windows audit events is relatively easy since that is a single event with a well-known event ID. However in Linux that raw audit data looks like 3 separate audit events with a common event id. I've started down the path of creating a custom search script and am able to read in the event data from splunk.Intersplunk.getOrganizedResults but I'm stuck at the point of generating an event to put into splunk.Intersplunk.outputResults. Is there a method to generate a new event (transient?) to return from my saved search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎04-21-2011 07:51 AM

if the three separate audit events that make up the failed access always have the same structure or format, you can define a transaction to represent them, and then search for/alert on that instead:

http://www.splunk.com/base/Documentation/latest/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/latest/Knowledge/Definetransactions

i'm probably missing something, but i'm not sure that creating a custom search command is needed here.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎04-21-2011 07:51 AM

if the three separate audit events that make up the failed access always have the same structure or format, you can define a transaction to represent them, and then search for/alert on that instead:

http://www.splunk.com/base/Documentation/latest/Knowledge/Abouttransactions
http://www.splunk.com/base/Documentation/latest/Knowledge/Definetransactions

i'm probably missing something, but i'm not sure that creating a custom search command is needed here.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎04-21-2011 03:59 PM

correct, you can use search-time field extractions to make this happen:
http://www.splunk.com/base/Documentation/latest/Knowledge/Createandmaintainsearch-timefieldextractio...

0 Karma
Reply
Solved! Jump to solution

chadroberts
Path Finder
‎04-21-2011 08:15 AM

Thanks for the reply. If my first read of the transaction documentation is correct it needs to key off of a common field in each of the events. What I look at when doing a manual review is a section that looks like:

audit([epoch_time].[milliseconds]:[audit_event])

where [audit_event] is the important part between the 3 lines of correlated audit data. Splunk currently doesn't see that as a field so I'll have to tell splunk that is important first, correct?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...