Splunk Enterprise Security

When is a Failed Login, not a failed login...

jacqu3sy
Path Finder

Hi,

How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentication Data Model.

sshd[31604]: [ID 800047 auth.notice] Failed none for bla from 10.x.x.x. port 63604 ssh2

I basically want to exclude anything where the phrase 'Failed none' is seen in the raw event.

The following content from the props, in conjunction with the lookup listed below, is mapping the event as action=failed.

[syslog]

Event extractions by type

...
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
...

From the lookup file:
vendor_action action
...
failed failure
...

I can hash out the line above in the lookup file, but this would then also drop genuine failed logins which I still want to capture.

Any help appreciated.

0 Karma

jawaharas
Motivator

You can change search string of eventtype string to exclude the keyword 'Failed none'.

The list of event types can be referred from 'Settings->Event Types' in GUI.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls review the default/eventtypes.conf and tags.conf to understand current mapping between events/eventtypes and 'authentication' tag. You can then create a new eventtypes or adjust existing ones to exlcude your event(s) getting 'failed logon' eventtype and auth tags. [ and/or by using your specific sourcetypes in the exclusion]

0 Karma

jacqu3sy
Path Finder

Ah, you mean 'read the documentation' - If only I'd thought of that...

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!