Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to have eventtypes for user authentication with different events?

pjohnson1
Path Finder
‎10-19-2015 05:24 PM

Is it possible to have eventtypes for user authentication with different events?

I am working on a TA for Aruba user authentication logs.

I have the action=success completed event 522008 but action=failure will be from another event 522042 (not the same event ID).

SAMPLE EVENTS

Successful

 Oct 19 04:19:24 awc1 authmgr[1883]: <522008> <NOTI> <awc1 192.168.1.10>  User Authentication Successful: username=john.doe MAC=08:15:96:ab:ac:e0 IP=192.168.2.10 role=authenticated VLAN=601 AP=102.168.2.1 SSID=corp AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com

Failed

Oct 19 23:57:03 awc1 authmgr[1883]: <522042> <NOTI> <awc1 192.168.1.10>  User Authentication Failed: username=john.doe MAC=08:15:96:ab:ac:e0 IP=0.0.0.0 auth method=802.1x auth server=radius.lab.com

CONFIGS

eventtypes.conf

[aruba_user_authentication]
search = sourcetype=aruba_syslog Error_ID=522008
#tags = authentication default

transforms.conf

[aruba_user_action]
REGEX = Authentication\s+(Successful|failed)
FORMAT = aruba_user_action::$1

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pjohnson1
Path Finder
‎10-19-2015 06:14 PM

UPDATE

By amending the search in eventtypes.conf I managed to get the failure's too..

eventtypes.conf

 [aruba_user_authentication]
 search = sourcetype=aruba_syslog Error_ID=522008 OR OR Error_ID=522042
 #tags = authentication default

View solution in original post

Reply
Solved! Jump to solution
Solution

pjohnson1
Path Finder
‎10-19-2015 06:14 PM

UPDATE

By amending the search in eventtypes.conf I managed to get the failure's too..

eventtypes.conf

 [aruba_user_authentication]
 search = sourcetype=aruba_syslog Error_ID=522008 OR OR Error_ID=522042
 #tags = authentication default
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-19-2015 06:23 PM

Took me too long to type - so deleting my answer as you got it right here 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...