Splunk Search

How to search and extract SSH user accounts which are logged in with an interactive login based on my sample data?

akashjohn
Explorer

Hi Team,

I am looking for a Splunk search to get a statistics table output

I am looking for is the SSH user accounts which are logged in with interactive login and note that the user names will be starting with a specific prefix as support_ (support_1, support_2, etc). Could you please let me know how can we achieve this?

0 Karma

sundareshr
Legend

Try this

index=xyz ("sshd" AND "keyboard-interactive/pam for support_*")  | rex "support_(?<support_user>[^\s]+)"  | stats count by support_user 
0 Karma

jplumsdaine22
Influencer

Without knowing what fields are available to you, this following search would work:

"Accepted keyboard-interactive/pam for support_*" 

If you want to extract the username inline you can try this

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)" 

And then append whatever stats/timechart etc search you wish after that, eg

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"  | stats count by user
0 Karma

renjith_nair
Legend

Do you have some sample data and field names? If you just want to exclude specific strings , just try

index=yourindex source=yoursource ...rest of your search NOT "support_*"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

akashjohn
Explorer

Hi Renjith,

Please find the sample data below,

Jul 13 04:23:07 dev-ron-aka-vin sshd[23227]: Accepted keyboard-interactive/pam for support_win_dev_scope from 10.1.0.2  port 56359 ssh2

We need to extract the user names (in above case support_win_dev_scope ) form all samples like this.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...