Splunk Search

How to find events that have non RFC1918 addresses

wtaylor149
Explorer

Issue I'm facing:

My use case is to detect a successful ssh login from an external ip_address.

I have my linux logs in: index=linux_logs

These logs have a field called "hostname". "hostname" is sometimes a FQDN and sometimes it's an ip_address. I have an asset list (lookup file),  assets.csv.  Not all of the FQDN from the linux_logs are in this list.

Here is my initial query:

index=linux_logs sourcetype=syslog exe="/usr/sbin/sshd" res=success NOT hostname=?

| stats count, min(_time) as first_time, max(_time) as last_time, values(dest) as dest, values(hostname) as src by acct

| lookup assets.csv dns AS src OUTPUT ip

| fillnull value=no_ip ip

 

A sample of the results:

acctcountfirst_timelast_timedesthostnameip
user150epoch_time_formatepoch_time_formathost1.mycompany.comsrc1.mycompany.com10.36.25.14
user240epoch_time_formatepoch_time_formathost3.mycompany.comsrc3.mycompany.comno_ip

 

 I want to eliminate the RFC1918 and keep the "no_ip" and ip's outside of the RFC1918 ranges. I do have a lookup for the rfc1918 ranges but I'm struggling with how to write the spl to check the "ip" field for what I need. Any help is greatly appreciated.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
| where NOT cidrmatch("10.0.0.0/8,ip) AND NOT cidrmatch("192.168.0.0/16",ip) AND [...]
0 Karma
Get Updates on the Splunk Community!

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...