Splunk Search

Extracting fields from Syslog event

avalle
Path Finder

I have an alert set up to email me if I see failed log on to a list of servers. I would like to alter this alert to only email me if we see failed log on on port 22. The event has a port fiend that is not extracted but I have never extracted a field and I tried to extract it but I am not sure I am doing it right. I have also tried to add "AND "port 22"" to the alert and that did not work

This is the event:
Jan 4 00:03:45 xxxxxxxxx.com sshd[26448]: [ID 800047 auth.notice] Failed keyboard-interactive for wcsuser from xxx.xxx.xxx.xxx port 56395 ssh2

This is the alert I want to filter port 22:
host=xxxdb* OR host=xxxod-* AND "ID 800047 auth.notice" | fields - index - linecount - source - sourcetype - splunk_server

Tags (3)
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

host=xxxdb* OR host=xxxod-* AND "ID 800047 auth.notice" 
| rex port\s(?<port>\d+) 
| search port="22" 
| fields - index - linecount - source - sourcetype - splunk_server

This will extract the numbers from port then search on port 22

avalle
Path Finder

That kind of worked you can say. I can extract the port but for some reason none of my logs are on port 22 therefore I need to dig deeper

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Add the info when you get it and I can help you solve your issue. If not, can you accept the answer and close out the question?

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...