Getting Data In

Show Failed Login by user, IP Address

sarvan7777
New Member

Experts,

We are a financial institution using Splunk to capture Failed login count by username and IP address. We use 100s of application within our enterprise, and not every application writes failed login attempts with username and IP details. There are 10s of vendor applications that only provide username, but, no IP address. So, we are thinking to get the Failed Login and username from the logs and do an automatic lookup for IP address matching the username. Please advise

a) if this is feasible as IP address is not going to be static all the time
b) From where to get the user, IP address details as I have no knowledge on Networking. Please advise if that will be available in LDAP, AD, Firewall Logs etc.. so that I can request our network team to provide it

Tags (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

If you have DHCP logs, that can give you a mac address, IP and hostname. You can use the hostname/IP address from dhcp logs and tie that to your datasources with hostname or IP address to tie them up.

0 Karma

FrankVl
Ultra Champion

And how would that allow you to find the IP address when a log only contains a username? I don't think DHCP logs usually contain information on which user is on a certain machine.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

it doesn't contain user name, but only host/mac/IP. where you have scenarios of IP changes, we can relate that to host and use logs that contain hostname [ e.g. windows or others] to get users. Not a clean way, but in the above case it could be helpful based on what's logged and whats available, if we can tie them up.

0 Karma

FrankVl
Ultra Champion

You could use one of the log sources that does log both user and IP address to generate some kind of "session list" that stores which machine a user last logged on to. Either as a summary index or as a lookup. Which you could then use to link usernames appearing in other logs to IP addresses.

Some caveats though:
- if different applications use different user account names for the same person, this becomes a lot more tricky to manage
- there is no guarantee that if a user has logged on to workstation with IP 10.0.0.1 and you then see a logon to application X by that same user, that that logon actually came from 10.0.0.1. Especially if that user's account was compromised (or shared with a colleague etc.) the login likely comes from a different IP and that would be exactly the kind of stuff you want to be looking for.

So while technically, you could keep track of user-IP relationships based on what workstation they last logged on to for instance, it is not a reliable way of determining the source IP for application logons.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...