Hello
I'm new to this community and my first question is this: How to make a report of unsuccessful connection attempts? I have tried to find some querie for my question but I have not been successful. As data is the first time I'm handling the splunk
I would appreciate your help
regards
Okay, you are going to have to figure out what a logon looks like, and what an unsuccessful logon looks like, on your system. If you don't have a senior person who already has some queries for you to start with, then what you do is this -
1) Log off your system
2) Log onto your system but INTENTIONALLY type the wrong password the first time.
3) Log onto your system
4) Immediately log onto splunk, go to your search within about 3 minutes and search for
index=* earliest=-3m@m "<myuserid>"
where <myuserid>
is your user id. Do not put the angle brackets, just your userid.
That should return you a few records that show you logging off, failing to log on, and logging on - one of each. You now know what the records look like, and what index they are in, and what fields are already available on them..
Now, with all the different operating systems and device types and security software there is out there, there are literally dozens of ways a person can log on, and probably hundreds of way that the records might look. The connection records for a VPN look different than logons via Windows XP, or Windows 8, or via PAM, or via su or sudo or ssh or any number of other ones. So, really, you need to find out internally which ones you are supposed to be looking for, and in what indexes.
When you find out more specifics, then you can search site:answers.splunk.com for those key words to find sample queries.
Here's one answer that's relevant:
https://answers.splunk.com/answers/527671/how-to-generate-a-search-to-find-the-wrong-user-lo.html
Can you give more details? What do you mean with unsuccessful connection attempts?