Splunk Enterprise Security

When is a Failed Login, not a failed login...

Path Finder


How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentication Data Model.

sshd[31604]: [ID 800047 auth.notice] Failed none for bla from 10.x.x.x. port 63604 ssh2

I basically want to exclude anything where the phrase 'Failed none' is seen in the raw event.

The following content from the props, in conjunction with the lookup listed below, is mapping the event as action=failed.


Event extractions by type

LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action

From the lookup file:
vendor_action action
failed failure

I can hash out the line above in the lookup file, but this would then also drop genuine failed logins which I still want to capture.

Any help appreciated.

0 Karma


You can change search string of eventtype string to exclude the keyword 'Failed none'.

The list of event types can be referred from 'Settings->Event Types' in GUI.

0 Karma


Pls review the default/eventtypes.conf and tags.conf to understand current mapping between events/eventtypes and 'authentication' tag. You can then create a new eventtypes or adjust existing ones to exlcude your event(s) getting 'failed logon' eventtype and auth tags. [ and/or by using your specific sourcetypes in the exclusion]

0 Karma

Path Finder

Ah, you mean 'read the documentation' - If only I'd thought of that...

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...