Splunk Search

How to create a sudo to root, dedup 24 hours report?

DW2054
Engager

How to create a sudo to root, dedup 24 hour by user report?

So far I have:
process=sudo "USER=root"| rex "(?i) PWD=(?P[^ ]+)"| table date_month, date_mday, host, path_name | dedup host|sort date_mday, host, path_name|rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"

I am getting about 90% of what I want...But the dedup host is causing me to miss data related to multiple users sudo'ing into the same server on the same day. If I take dedup host out, I get numerous transactions of the SUDO user on the same machine.

Tags (2)
0 Karma
1 Solution

jdunlea
Contributor

You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.

| dedup host user

This is providing that "user" is an actual field of course.

View solution in original post

DW2054
Engager

Final version:

COMMAND=/bin/su - process=sudo| rex "(?i) sudo: (?P[^ ]+)"| table date_month, date_mday, host, path_name |dedup host path_name| sort date_mday, host, path_name| search path_name>0| rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"

Works perfect!

Thank you!

0 Karma

jdunlea
Contributor

You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.

| dedup host user

This is providing that "user" is an actual field of course.

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...