Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Show Failed Login by user, IP Address

sarvan7777
New Member
‎02-25-2019 12:21 AM

Experts,

We are a financial institution using Splunk to capture Failed login count by username and IP address. We use 100s of application within our enterprise, and not every application writes failed login attempts with username and IP details. There are 10s of vendor applications that only provide username, but, no IP address. So, we are thinking to get the Failed Login and username from the logs and do an automatic lookup for IP address matching the username. Please advise

a) if this is feasible as IP address is not going to be static all the time
b) From where to get the user, IP address details as I have no knowledge on Networking. Please advise if that will be available in LDAP, AD, Firewall Logs etc.. so that I can request our network team to provide it

Tags (1)
0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-25-2019 02:28 AM

If you have DHCP logs, that can give you a mac address, IP and hostname. You can use the hostname/IP address from dhcp logs and tie that to your datasources with hostname or IP address to tie them up.

0 Karma
Reply

FrankVl
Ultra Champion
‎02-25-2019 02:33 AM

And how would that allow you to find the IP address when a log only contains a username? I don't think DHCP logs usually contain information on which user is on a certain machine.

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-25-2019 02:38 AM

it doesn't contain user name, but only host/mac/IP. where you have scenarios of IP changes, we can relate that to host and use logs that contain hostname [ e.g. windows or others] to get users. Not a clean way, but in the above case it could be helpful based on what's logged and whats available, if we can tie them up.

0 Karma
Reply

FrankVl
Ultra Champion
‎02-25-2019 01:00 AM

You could use one of the log sources that does log both user and IP address to generate some kind of "session list" that stores which machine a user last logged on to. Either as a summary index or as a lookup. Which you could then use to link usernames appearing in other logs to IP addresses.

Some caveats though:
- if different applications use different user account names for the same person, this becomes a lot more tricky to manage
- there is no guarantee that if a user has logged on to workstation with IP 10.0.0.1 and you then see a logon to application X by that same user, that that logon actually came from 10.0.0.1. Especially if that user's account was compromised (or shared with a colleague etc.) the login likely comes from a different IP and that would be exactly the kind of stuff you want to be looking for.

So while technically, you could keep track of user-IP relationships based on what workstation they last logged on to for instance, it is not a reliable way of determining the source IP for application logons.

0 Karma
Reply
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...