Solved: Re: Authentication extraction for Unix add-on and ...

mdessus_splunk · ‎04-01-2015

For the ones who use the Unix addon for extracting authentication events for Enterprise Security, and some events are not recognized, mainly on Ubuntu Linux (not tested on other distribs), here's the one I've added. Feel free to correct/complement them.

To be added in etc/apps/Splunk_TA_nix/local/props.conf:

[source::/var/log/auth.log]
EXTRACT-app_and_dest = ^\w+ +\d+ \d\d:\d\d:\d\d (?<dest>\w+) (?<app>\S+)\[\d+\]
EXTRACT-ssh_details = (?<vendor_action>Failed|Accepted) \w+ for (invalid user )*(?<user>\S+) from (?<src>\d+\.\d+\.\d+\.\d+) port (?<src_port>\d+)
EXTRACT-sudo_open_details = ^\w+ +\d+ \d\d:\d\d:\d\d \w+ (?<app>sudo): pam_unix\(sudo:session\): (?<vendor_action>session \w+) for user (?<user>\w+) by (?<src_user>\w+)
LOOKUP-action_for_linux_auth = nix_action_lookup vendor_action OUTPUTNEW action

mdessus_splunk · ‎04-01-2015

The answer is in the question 🙂

View solution in original post

ycourbe · ‎08-18-2017

I slightly changed EXTRACT-sudo_open_details so it also works with "su"

^\w+ \d+ \d{2}:\d{2}:\d{2} (?<src>.+) (?<app>\w+).*: pam_unix\(.+:session\): (?<vendor_action>session \w+) for user (?<user>\w+)

For the rest it works perfect with my RHEL. Thanks !

mdessus_splunk · ‎04-01-2015

The answer is in the question 🙂

Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?