I have two sources
- /var/log/secure
- /var/log/audit/audit.log
Here is my SPL so far
(index=* source="/var/log/secure" AND "*sudo*" AND ("*chown*" OR "*useradd*" OR "*adduser*" OR "*userdel*" OR "*chmod*" OR "*usermod*") AND COMMAND!="*egrep*") OR
(index="*" source="/var/log/audit/audit.log" addr!=? res=success* [search index=* source="/var/log/secure" AND "*sudo*" AND ("*chown*" OR "*useradd*" OR "*adduser*" OR "*userdel*" OR "*chmod*" OR "*usermod*") AND COMMAND!="*egrep*"
| dedup date_month date_mday
| fields date_month date_mday])
| regex _raw!= ".*user NOT in sudoers.*"
| rename acct as Users
| rex field=_raw "(?<=sudo:)\s*(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?.*)"
| eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","")
| eval Users = if(match(Users,"(?<=[[:alnum:]])\@[[:alnum:]]\S*[[:alnum:]]"),
replace(Users,"(?<=[[:alnum:]])\@[[:alnum:]]\S*[[:alnum:]]",""),
if(match(Users,"[[:alnum:]]+\\\(?=[[:alnum:]]\S*[[:alnum:]])"),
replace(Users,"[[:alnum:]]+\\\(?=[[:alnum:]]\S*[[:alnum:]])","")
,Users))
| eval Time = if(source=="/var/log/secure" ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()), Date = strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-007"
| eval "Agency HF" = if(isnull(agencyhf),"",agencyhf)
| stats list(Time) as Time list("Command/Events") as "Command/Events" latest(addr) as "IP Address" by Users Date host index "Report ID" "Agency HF"
| where 'Command/Events' !=""
| eval counter=mvrange(0,mvcount(Time))
| streamstats count as sessions
| stats list(*) as * by sessions counter
| foreach Time "Command/Events" [ eval <> = mvindex('<>', counter)]
| fields - counter sessions
| rename index as Agency, host as Hostname
| fields "Report ID" Time Agency Command/Events Hostname Users "IP Address" "Agency HF"
Problem
The SPL runs slow when I have a big data. I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. For example the latest record in /var/log/secure is May 5 2020, 2pm... is it possible to run a search for the other one, /var/log/audit/audit.log , that is from May 5 2020 00:00 to May 5 2pm? and if I have other events too like Feb 3 8 pm as the latest time... can I achieve it?
Hello @xnx_1012 ,
you can definetely optimize this search.
Your question: I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. - I hope somebody can advice on this better than me.
The SPL runs slow when I have a big data. - I think this caused by using too broad and not exact search criteria. Depending on your environment these adjustments can provide a majour speedup:
replace index=*
with index=your_index
TERM(useradd)
instead of *useradd*
Let me know if it worked
Hello @xnx_1012 ,
you can definetely optimize this search.
Your question: I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. - I hope somebody can advice on this better than me.
The SPL runs slow when I have a big data. - I think this caused by using too broad and not exact search criteria. Depending on your environment these adjustments can provide a majour speedup:
replace index=*
with index=your_index
TERM(useradd)
instead of *useradd*
Let me know if it worked
Thank you for your reply, is TERM faster that's why you suggest me how to use it and how can I implement stats, sorry a bit new to it