I am trying to monitor anonymous logins and login failures on my servers. My search runs fine, but it pulls out all the users that are connecting. I would like to exclude a list of users that are validated users of my organization and report rest of the login and login failure attempts in my report. Please help
You probably should use a
lookup; you can either have the data in a file (which could be dynamically generated from another search) and then validate against that list:
You can also build an external lookup against an LDAP query (there probably even an app for this for AD).
i do have a lookup file with the user list in it, but how do i exclude these users from showing up in the report. i usually use lookup to pop up blacklisted ip's or such.
Assuming you have a field
username (adjust if not) and not a huge number of them, like this:
<your other search stuff> NOT [| inputcsv GoodUserFile | fields username ]
I would use a subsearch here and the lookup table. You could also just list the users out as well.
Assuming you base search is for example, "index=www login", and you loaded your list of users into lookup "listofyourusers"
index=www login | search NOT [ | inputlookup listofyourusers]
What is your initial search that gets you this far?
"I am trying to monitor anonymous logins and login failures on my servers. My search runs fine"....