Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combined Linux Searches

gm3ndez
New Member
‎09-25-2020 07:41 AM

Hello ,

Im trying to run a audit search for high priority linux servers - should have the following in the search

sudo login, failed login, login/logoff and account change and deletion.

i was able to combine to searches with the "OR" command:

index="ssh_login_index" sourcetype="linux_secure" (process=sshd session opened OR closed) host="linux server"

but still cant combine the rest of the searches to the search above. Thanks in advance!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 08:14 AM

Hi @gm3ndez,

I had to do something like this and I solved it with eventtypes and tags:

I created many eventtypes containing each one a single search, e.g.:

[Linux_Audit]
search = index=os sourcetype=linux_secure NOT disconnect

[Linux_Logfail]
search = eventtype=Linux_Audit "failed password"

[Linux_Login]
search = eventtype=Linux_Audit "accepted password"

[Linux_Logout]
search = eventtype=Linux_Audit "session closed"

associating to each one dedicated tags (e.g. LINUX for each and then LOGIN for Linux_Login, LOGFAIL for Linux_Logfail, and so on)

in this way in the search I can use only

tag=LINUX

having all the searches in eventtypes in a little search.

This way is a little more complicated, but more efficient and clear to maintain and use.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top