Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Event correlation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event correlation
Hello I have begin try to build up splunk to use as an event handler. Ssh seemed to be a good place to start and learn, so im thinking of how to do it. As of now i was planning to create a custom dashboard that prints custom created events in realtime. Im now trying to create a event that search for a couple (3-4) of failed ssh logins on the same host in like 15 minutes.
How do i count the ammount of res=failed in a event that look like this?
index="os" source=/var/log/audit/audit.log res=failed | transaction host maxspan=15m
Also, is this seem like a good idea to you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, are you looking for failed logins associated to the same user name? If you have a field representing the user which attempted the login called "user_name", you could try the following to produce a table:
index="os" source=/var/log/audit/audit.log res=failed | bucket _time span=15m | stats count by _time host user_name | search count>=4
Or this one to plot a chart of the number of failed logins every 15 minutes, per host:
index="os" source=/var/log/audit/audit.log res=failed | timechart count by host
Welcome to the Splunk universe!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event types are not suited to group set of related events. For instance, it would be hard (if not impossible) to create the event type "more than 4 failed login attempts". You could however create the event type "failed login attempt", and then a search counting those events per user in the last X minutes. Then you could create a simple dashboard with that and other searches in it, to monitor all the possible weird events in the infrastructure. (or schedule the searches and let them notify you when they find anything strange)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh that was nice! My goal is to have a seperate dashboard/app (maybe a bit advanced atm) and there i have a list of "weird" event from the infrastructure. Stuff like multiples status=denied from the firewall, weird behaivior from someone browsing our homepage, denies from ssh etc. How do you that that in a smooth way?, maybe create the events and tag them, and have a search for taged events?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
