Security

Unable to see Failed_Logins

catch_mili
Explorer

Unable to get disired output using below search
Failed_Logins_by_Host(*)

Installed forwarder on solaris box, trying to login using incorrect pasword.
But not output.

Tags (2)
0 Karma

catch_mili
Explorer

However, I am able to get other information like disk usage, successful user logins, config files overview.

0 Karma

MuS
Legend

Hi catch_mili

recalling the install trouble you had, have you checked that the user running splunk forwarder on this solaris box is able to read the required log files to get this information?
If this user does not have the permission to read the log files you will not get any information.

cheers,
MuS

0 Karma

MuS
Legend

the lastlog.sh provides this information. on solaris this file is called wtmpx but this is a binary file and it is in /var/adm/ not /var/log/

0 Karma

catch_mili
Explorer

Still i am able to fetch other data like /var/log/*
But coudnt get failed login.
Just need help on where do i look on solaris server for logs, which are genererated in case of user login failed.
I mean if i get to know the path, i will start monitoring that logs.
However i have enabled all the logs which are present in inputs.conf

0 Karma

MuS
Legend

okay in this case you don't get the needed data, either permission or something went wrong in the *nix App config on the universal forwarder.

0 Karma

catch_mili
Explorer

No i didnt get anything other than you the timerange has been substituted based on your search string

0 Karma

MuS
Legend

this is the search behind the macro in the *nix app:
index=os eventtype=failed_login host=$host$

if you search 'index=os eventtype=failed_login earliest=-1mon@mon' do you get anything beside the blue bar telling you the timerange has been substituted based on your search string?

0 Karma

catch_mili
Explorer

Yes.I am using *nix app.
Also i have enabled the app according to inputs.conf

0 Karma

MuS
Legend

assuming you are using the *nix app, have you enabled the according inputs in the app?
http://docs.splunk.com/Documentation/UnixApp/latest/User/InstalltheSplunkAppforUnixandLinux#Enable_d...

0 Karma

catch_mili
Explorer

However, I am able to get other information like disk usage, successful user logins, config files overview.

drwxr-xr-x 9 gwtest infrasrv 1024 Feb 7 03:19 splunk

this is what i found.

gwtest user has got sudo access.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...