Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Is it possible to have eventtypes for user authent...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
10-19-2015
05:24 PM
Is it possible to have eventtypes for user authentication with different events?
I am working on a TA for Aruba user authentication logs.
I have the action=success completed event 522008 but action=failure will be from another event 522042 (not the same event ID).
SAMPLE EVENTS
Successful
Oct 19 04:19:24 awc1 authmgr[1883]: <522008> <NOTI> <awc1 192.168.1.10> User Authentication Successful: username=john.doe MAC=08:15:96:ab:ac:e0 IP=192.168.2.10 role=authenticated VLAN=601 AP=102.168.2.1 SSID=corp AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com
Failed
Oct 19 23:57:03 awc1 authmgr[1883]: <522042> <NOTI> <awc1 192.168.1.10> User Authentication Failed: username=john.doe MAC=08:15:96:ab:ac:e0 IP=0.0.0.0 auth method=802.1x auth server=radius.lab.com
CONFIGS
eventtypes.conf
[aruba_user_authentication]
search = sourcetype=aruba_syslog Error_ID=522008
#tags = authentication default
transforms.conf
[aruba_user_action]
REGEX = Authentication\s+(Successful|failed)
FORMAT = aruba_user_action::$1
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
10-19-2015
06:14 PM
UPDATE
By amending the search in eventtypes.conf I managed to get the failure's too..
eventtypes.conf
[aruba_user_authentication]
search = sourcetype=aruba_syslog Error_ID=522008 OR OR Error_ID=522042
#tags = authentication default
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
10-19-2015
06:14 PM
UPDATE
By amending the search in eventtypes.conf I managed to get the failure's too..
eventtypes.conf
[aruba_user_authentication]
search = sourcetype=aruba_syslog Error_ID=522008 OR OR Error_ID=522042
#tags = authentication default
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-19-2015
06:23 PM
Took me too long to type - so deleting my answer as you got it right here 🙂
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Introduction to Splunk AI
How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
Maximizing the Value of Splunk ES 8.x
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...
