When is a Failed Login, not a failed login...

jacqu3sy · ‎08-15-2019

Hi,

How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentication Data Model.

sshd[31604]: [ID 800047 auth.notice] Failed none for bla from 10.x.x.x. port 63604 ssh2

I basically want to exclude anything where the phrase 'Failed none' is seen in the raw event.

The following content from the props, in conjunction with the lookup listed below, is mapping the event as action=failed.

[syslog]

Event extractions by type

...
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
...

From the lookup file:
vendor_action action
...
failed failure
...

I can hash out the line above in the lookup file, but this would then also drop genuine failed logins which I still want to capture.

Any help appreciated.

jawaharas · ‎08-15-2019

You can change search string of eventtype string to exclude the keyword 'Failed none'.

The list of event types can be referred from 'Settings->Event Types' in GUI.

lakshman239 · ‎08-15-2019

Pls review the default/eventtypes.conf and tags.conf to understand current mapping between events/eventtypes and 'authentication' tag. You can then create a new eventtypes or adjust existing ones to exlcude your event(s) getting 'failed logon' eventtype and auth tags. [ and/or by using your specific sourcetypes in the exclusion]

jacqu3sy · ‎08-15-2019

Ah, you mean 'read the documentation' - If only I'd thought of that...

When is a Failed Login, not a failed login...

Event extractions by type

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life