Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find failed Logons by IP Address and by Username?

Maheshparsi
Explorer
‎09-15-2015 10:43 PM

Hi all,

I have some dashboard requirements to be created in "search & reporting app":

  1. failed logons by IPAddress
  2. failed logons by Username
  3. Users Failing to Logon from Multiple IPs

I tried this search, but it is not working:

index=_audit action=failure | stats count by _time,user,action

Can you please help me in finding out the solution?

Thanks in Advance,

Regards,
Mahesh P.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-16-2015 12:29 AM

UPDATED ANSWER: My earlier answer was wrong.

Are you trying to find instances where folks failed to login to Splunk? Because the _audit index only contains audit information about the Splunk environment itself. If you want to see login attempts for Splunk, use this search (Splunk 6.2)

index=_audit  user!=splunk-system-user user!="n/a" action="login attempt"

If you want to track failed Linux logins or failed Windows logins, etc. then you must input the corresponding logs to Splunk. Then write a search that is appropriate for the input.

For example, usually the Linux log will be /var/log/secure. Once you have loaded it into Splunk with the sourcetype linux_secure you can do a search like this to see the failed logins over the last 24 hours.

sourcetype=linux_secure "Failed password" earliest=-24h
| stats count by user src_ip action

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-16-2015 12:29 AM

UPDATED ANSWER: My earlier answer was wrong.

Are you trying to find instances where folks failed to login to Splunk? Because the _audit index only contains audit information about the Splunk environment itself. If you want to see login attempts for Splunk, use this search (Splunk 6.2)

index=_audit  user!=splunk-system-user user!="n/a" action="login attempt"

If you want to track failed Linux logins or failed Windows logins, etc. then you must input the corresponding logs to Splunk. Then write a search that is appropriate for the input.

For example, usually the Linux log will be /var/log/secure. Once you have loaded it into Splunk with the sourcetype linux_secure you can do a search like this to see the failed logins over the last 24 hours.

sourcetype=linux_secure "Failed password" earliest=-24h
| stats count by user src_ip action
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...