Splunk Dev

correlate 2 events with uid in a table

amir_thales
Path Finder

Hello,

I want information about the usb keys mounted on the system but the / var / log / messages or the /var/log/audit/audit.log do not give enough interesting information about the USB sticks.

So I want to use the data contained in the / etc / passwd and the / etc / mtab to correlate the information and thus deduce in a table the login of the current session and the name of the usb key mounted on it.

I used the add-on unix to generate the information contained in the / etc / passwd but this add-on does not propose me to generate the information of / etc / mtab, so I configured splunk for it to monitor this file and since this file is dynamic, when a line is added at the end of the file when we insert a usb key, this line is automatically generated on splunk.

Now I want to find a way to correlate message 1 with message 2.

I want to correlate the uid ie in the message 1 we see that there is the uid 500, so I will use the message 2 to deduce that 500 = local_splunk. After correlating the uids I want to make a table that will show me the uid, user, usb key name mounted.

Thank you
Amiralt text

Tags (1)
0 Karma
1 Solution

amir_thales
Path Finder

Something like that but the field user is empty:
alt text

Thank you
Amir

**PS: I'm going to leave soon because it's getting late and I'll be back to work next Monday because I'm at school at the end of the week. From my return Monday, I continue on that so if I do not answer it is just because I will not be there.

Thank you very much for your help.**

View solution in original post

0 Karma

amir_thales
Path Finder

hello @elliotproebstel,

I have a table with uid and user which are correlate but i don't have the name of the USB key in the field usb_key.

amir

0 Karma

amir_thales
Path Finder

excuse me I did not read what was written above.

I will extract this data and test.

thank you
Amir

0 Karma

elliotproebstel
Champion

Would you like help writing the rex command to extract it? If so, can you show the source event and highlight which part you're extracting? I'm guessing you'd be looking at the first event for /media/Transcend, but I'm not certain. Can you also show if the usb_key value that you want to extract is currently in another field or just a part of the _raw event data?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...