Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

report on ssh login attempts from the foreign source ip address

gisnetsec
Explorer
‎05-25-2011 06:27 AM

I have several firewall appliances logging into one syslog file and would like to report on the number of SSH login attempts by the external source IP. The fields are a little different from typical syslog format. The appliances do not have the same rule base, so I can't key on rule number.

May 25 07:20:53 10.1.2.3 2011: May 25 15:37:39 fw_appl <50000> Dropped Inbound packet (Policy rule) Src:85.1.2.3 SPort:2624 Dst:62.1.2.3 DPort:22 IPP:6 Rule:21 Interface:WAN (Internet)

May 25 07:20:54 10.1.2.3 2011: May 25 15:37:40 fw_appl <50000> Dropped Inbound packet (Policy rule) Src:85.1.2.3 SPort:2639 Dst:62.1.2.3 DPort:22 IPP:6 Rule:21 Interface:WAN (Internet)

Tags (2)
0 Karma
Reply

ftk
Motivator
‎05-25-2011 06:33 AM

How about this:

"Dropped Inbound packet" Interface="WAN (Internet)" DPort=22 NOT Src=10.* NOT Src=192.168.* | stats count by host, Src

This search assumes that all the fields in your syslog message are extracted by Splunk.

Reply

ftk
Motivator
‎05-25-2011 07:44 AM

From your question I assumed you wanted to see stats on both src ip as well as firewall device. If you just want the src ip, modify your search as such: | stats count by Src

0 Karma
Reply

gisnetsec
Explorer
‎05-25-2011 07:36 AM

maybe the Src: field is not extracted as expected

0 Karma
Reply

gisnetsec
Explorer
‎05-25-2011 07:31 AM

it seems to track the device IP address as the host, instead of Src:x.x.x.x -- when I go to report I see the fw appliance and the count of ssh logins without tracking how many times the foreign address attempted

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...