I have a small environment. I have 3 users that are allowed to login to a particular server. If I search:
index=<index name> user=<username> OR user=<username> OR user=<username>
I find all instances of them logging in. How can I find users that are not equal to those 3 users? I want to set up an alert that will let me know when someone other than those 3 are trying to log in.
if you're speaking of login to Splunk, you can use this search:
index=_audit sourcetype = audittrail action="login attempt"
Not logging into Splunk. I have a server that forwards it's log to Splunk. I want Splunk to alert me when someone, that is not one of the three users, tries to log in. I want to define which three users are allowed and if anyone besides them tries I will be notified. I do not want failed attempts. Just when it is someone I do not know.
what kind of server have you: windows or Linux?
if you are speaking of a windows server, you could run something like this:
index=wineventlog EventCode=4624 User_Name!="*SERVI*" AND User_Name!="SYST*" | stats count BY Account_name
if you are speaking of a Linux server, you could run something like this:
index=os "accepted password" | stats count BY user