Splunk Search

How to find failed Logons by IP Address and by Username?

Explorer

Hi all,

I have some dashboard requirements to be created in "search & reporting app":

  1. failed logons by IPAddress
  2. failed logons by Username
  3. Users Failing to Logon from Multiple IPs

I tried this search, but it is not working:

index=_audit action=failure | stats count by _time,user,action

Can you please help me in finding out the solution?

Thanks in Advance,

Regards,
Mahesh P.

0 Karma
1 Solution

Legend

UPDATED ANSWER: My earlier answer was wrong.

Are you trying to find instances where folks failed to login to Splunk? Because the _audit index only contains audit information about the Splunk environment itself. If you want to see login attempts for Splunk, use this search (Splunk 6.2)

index=_audit  user!=splunk-system-user user!="n/a" action="login attempt"

If you want to track failed Linux logins or failed Windows logins, etc. then you must input the corresponding logs to Splunk. Then write a search that is appropriate for the input.

For example, usually the Linux log will be /var/log/secure. Once you have loaded it into Splunk with the sourcetype linux_secure you can do a search like this to see the failed logins over the last 24 hours.

sourcetype=linux_secure "Failed password" earliest=-24h
| stats count by user src_ip action

View solution in original post

Legend

UPDATED ANSWER: My earlier answer was wrong.

Are you trying to find instances where folks failed to login to Splunk? Because the _audit index only contains audit information about the Splunk environment itself. If you want to see login attempts for Splunk, use this search (Splunk 6.2)

index=_audit  user!=splunk-system-user user!="n/a" action="login attempt"

If you want to track failed Linux logins or failed Windows logins, etc. then you must input the corresponding logs to Splunk. Then write a search that is appropriate for the input.

For example, usually the Linux log will be /var/log/secure. Once you have loaded it into Splunk with the sourcetype linux_secure you can do a search like this to see the failed logins over the last 24 hours.

sourcetype=linux_secure "Failed password" earliest=-24h
| stats count by user src_ip action

View solution in original post