What is the best way to see the alert in action?

abreslin · ‎12-09-2022

I followed a tutorial on how to create an alert for a failed root login by typing "failed password for root" The alert is created but I want to see the alert be triggered. I'm working on a VM, what's the best way to see the alert in action?

gcusello · ‎12-09-2022

Hi @abreslin.

this alert is related to a failed access to a Linux system, so you have only to try to access your Linux target system and try with a wrong account or wrong password.

What's your problem?

Ciao.

Giuseppe

abreslin · ‎12-10-2022

Thank you so much for the quick reply! I'm sorry I'm new to all of this. I'm using Splunk in Windows. Is there an alert I can set up to get triggered by failed log ins with windows?

gcusello · ‎12-10-2022

Hi @abreslin,

the EventCode of the failed login in Windows is 4625 so you have to check it:

index=wineventlog EventCode=4625
| stats count BY host Account_name
| where count>10

obviously, you can choose the final threeshold you prefer.

Only one final information: Windows can be useful for testing (I' use it on my laptop) or a Proof of Contest or a very little infrastructure, but I never saw any production system using Windows as Operative System!

Ciao.

Giuseppe

What is the best way to see the alert in action?

other

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update