Hello, I have recently starting learning about Splunk and been stuck while attempting to make the search display for me events that comes from both my Linux and Windows machine at once. For example, for Windows, I have created this query that counts and display the times
EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password* | bucket span=1m _time | stats count by _time, host, source, Caller_Process_Name, Account_Name, EventCode Failure_Reason | table _time, host, source, EventCode, count, Caller_Process_Name, Account_Name, EventCode, Failure_Reason
And I have this query for a Linux that does the same:
index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password* | bucket span=1m _time | stats count by _time, host, process, source, | table _time, host, source, process, count
The issue is, whenever I am trying to make it display both Linux and Windows events at once, by providing it the fields together such as:
process(Linux Related) Event Code(Windows Related) Account_Name(Windows Related) user(Linux Related) With this query: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, EventCode | table _time, host, source, EventCode
Then it will only display me the Windows logs, and this is just because the EventCode was added. If I will for example remove the
"EventCode" and past it as: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, | table _time, host, source
Then both will appear in the screen, but without the filters I want. I am confused, anyone can help me please? Thanks!
Hi @SplunkNewbie132,
you can use the solution from @yuanliu or use a more structured solution.
You should create an eventtype for each data source,
e.g. for Windows
EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password*
and for Linux;
index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password*
then you can run a simpler search like this:
eventtype=windows OR eventtype=linux
| bucket span=1m _time
| stats values(EventCode) AS EventCode by _time host source
Obviously there are fields (as EventCode9 that are present in only one OS so they will be empty in the linux rows.
If you have fields with the same content but different name (e.g. process and Caller_Process_Name) you can use a rename or an alias:
eventtype=windows OR eventtype=linux
| bucket span=1m _time
| stats values(EventCode) AS EventCode by _time host source
| eval Caller_Process_Name=coalesce(process,Caller_Process_Name)
Ciao.
Giuseppe
(First, it wold be much easier for others to understand if you could layout sample codes distinctly from descriptive texts.)
Then it will only display me the Windows logs, and this is just because the EventCode was added.
That is because "group by" will only operate on non-null values. EventCode doesn't exist in Linux logs, therefore Linux events are not included.
How to display events from both depends on the exact kind of output you require. Here is one possible method:
((sourcetype="wineventlog:security" host="CLIENT1-DESKTOP" Account_Name=client1) OR (source="/var/log/auth.log" host="client3-kali")) failed password*
| bucket span=1m _time
| eval ProcessName = if(sourcetype=="wineventlog:security", Caller_Process_Name, process)
| stats count values(Account_Name) as Account_Name values(EventCode) as EventCode values(Failure_Reason) as Failure_Reason by _time, host, ProcessName, source
| table _time, host, source, EventCode, count, ProcessName, Account_Name, EventCode, Failure_Reason