Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AWS Failed logins and coalesce command

samadmemon
Explorer
‎04-15-2019 09:19 AM

Hi All,

On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.

CORRECT PARSING :

awsRegion: us-east-1

errorMessage: Failed authentication

eventID:

eventName: ConsoleLogin

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion:

In the above log errorCode field is 'failure' which is true.

INCORRECT PARSING :

However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.

awsRegion: us-east-1

errorMessage: No username found in supplied account

eventID:

eventName: CheckMfa

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion: 1.05

PROPS.CONF :

Below is the entry for errorCode in props.conf

EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").

QUESTION :

Please suggest the way how we can achieve the following :

if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.

what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.

Tags (1)
Reply

rmmiller
Contributor
‎11-19-2019 08:36 AM

coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.

CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?

0 Karma
Reply

vcarbona
Path Finder
‎11-14-2019 08:32 AM

I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...