I have an alert set up to email me if I see failed log on to a list of servers. I would like to alter this alert to only email me if we see failed log on on port 22. The event has a port fiend that is not extracted but I have never extracted a field and I tried to extract it but I am not sure I am doing it right. I have also tried to add "AND "port 22"" to the alert and that did not work
This is the event:
Jan 4 00:03:45 xxxxxxxxx.com sshd[26448]: [ID 800047 auth.notice] Failed keyboard-interactive for wcsuser from xxx.xxx.xxx.xxx port 56395 ssh2
This is the alert I want to filter port 22:
host=xxxdb* OR host=xxxod-* AND "ID 800047 auth.notice" | fields - index - linecount - source - sourcetype - splunk_server
Try this
host=xxxdb* OR host=xxxod-* AND "ID 800047 auth.notice"
| rex port\s(?<port>\d+)
| search port="22"
| fields - index - linecount - source - sourcetype - splunk_server
This will extract the numbers from port then search on port 22
That kind of worked you can say. I can extract the port but for some reason none of my logs are on port 22 therefore I need to dig deeper
Add the info when you get it and I can help you solve your issue. If not, can you accept the answer and close out the question?