Splunk Search

How to find events that have non RFC1918 addresses

wtaylor149
Explorer

Issue I'm facing:

My use case is to detect a successful ssh login from an external ip_address.

I have my linux logs in: index=linux_logs

These logs have a field called "hostname". "hostname" is sometimes a FQDN and sometimes it's an ip_address. I have an asset list (lookup file),  assets.csv.  Not all of the FQDN from the linux_logs are in this list.

Here is my initial query:

index=linux_logs sourcetype=syslog exe="/usr/sbin/sshd" res=success NOT hostname=?

| stats count, min(_time) as first_time, max(_time) as last_time, values(dest) as dest, values(hostname) as src by acct

| lookup assets.csv dns AS src OUTPUT ip

| fillnull value=no_ip ip

 

A sample of the results:

acctcountfirst_timelast_timedesthostnameip
user150epoch_time_formatepoch_time_formathost1.mycompany.comsrc1.mycompany.com10.36.25.14
user240epoch_time_formatepoch_time_formathost3.mycompany.comsrc3.mycompany.comno_ip

 

 I want to eliminate the RFC1918 and keep the "no_ip" and ip's outside of the RFC1918 ranges. I do have a lookup for the rfc1918 ranges but I'm struggling with how to write the spl to check the "ip" field for what I need. Any help is greatly appreciated.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
| where NOT cidrmatch("10.0.0.0/8,ip) AND NOT cidrmatch("192.168.0.0/16",ip) AND [...]
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...