Security

grabbing IP from ssh auth log

New Member

Hi there, new to splunk.

I have some records that take two different forms (both denote ssh login failed). I want to make a chart of the top offending remote IP addresses, Can I extract the IP in the same query from these strings even though they have a different number of words preceding it?

Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26449]: Failed password for root from 116.10.191.209 port 2024 ssh2
Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26447]: Failed password for invalid user admin from 116.10.191.209 port 2016 ssh2

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Hi kevinlong206,

you can do something like this if the IP is always after from and before port:

.... | rex field=_raw "from\s(?<theBadGuy>.+)\sport" | ....

or to make sure you only grab numbers

.... | rex field=_raw "from\s(?<theBadGuy>(\d+\.){3}\d+)\sport" | ...

this will create a new field called theBadGuy which can be used further.

hope this helps ...

cheers, MuS