Splunk Search

How to create a sudo to root, dedup 24 hours report?

DW2054
Engager

How to create a sudo to root, dedup 24 hour by user report?

So far I have:
process=sudo "USER=root"| rex "(?i) PWD=(?P[^ ]+)"| table date_month, date_mday, host, path_name | dedup host|sort date_mday, host, path_name|rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"

I am getting about 90% of what I want...But the dedup host is causing me to miss data related to multiple users sudo'ing into the same server on the same day. If I take dedup host out, I get numerous transactions of the SUDO user on the same machine.

Tags (2)
0 Karma
1 Solution

jdunlea
Contributor

You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.

| dedup host user

This is providing that "user" is an actual field of course.

View solution in original post

DW2054
Engager

Final version:

COMMAND=/bin/su - process=sudo| rex "(?i) sudo: (?P[^ ]+)"| table date_month, date_mday, host, path_name |dedup host path_name| sort date_mday, host, path_name| search path_name>0| rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"

Works perfect!

Thank you!

0 Karma

jdunlea
Contributor

You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.

| dedup host user

This is providing that "user" is an actual field of course.

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...