Security

How to detect fail password on Splunk?

cedSplunk2023
Observer

How to detect fail password on Splunk?

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cedSplunk2023,

your question is just a little vague!

failed password on which opeating system (windows, Linux, etc...) or application or appliance?

Anyway to answer to this question you don't need a Splunk expert but of someone that knows the target environment.

e.g. to find the failed password on windows, you have to search for EventCode=4625, for Splunk, you have to search "ERROR AuthenticationManagerSplunk - Login failed".

In addition you need to know in which index data are stored, e.g. Splunk logs are in "_internal", winevenlogs are usualli in "wineventlog",

in conclusion to find the failed logins in windows, you have to search:

index=wineventlog EventCode=4625

to find the failed logins in Splunk, you have to search:

index=_internal "ERROR AuthenticationManagerSplunk - Login failed"

Remember that finding something in Splunk depends on the 70% on your knowledge of the target and 30% on your Splunk knowledge.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...