Splunk Search

How to set up an alert that will show when someone other than those 3 are trying to log in?

kbohlken
Observer

I have a small environment.  I have 3 users that are allowed to login to a particular server.  If I search:

index=<index name>  user=<username>  OR user=<username> OR user=<username>

I find all instances of them logging in.  How can I find users that are not equal to those 3 users?  I want to set up an alert that will let me know when someone other than those 3 are trying to log in.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kbohlken,

if you're speaking of login to Splunk, you can use this search:

Splunk_Audit eventtype

index=_audit sourcetype = audittrail action="login attempt"

Splunk_Logfail

eventtype=Splunk_Audit info=failed


Splunk_Login

eventtype=Splunk_Audit info=succeeded

 Ciao.

Giuseppe

0 Karma

kbohlken
Observer

Not logging into Splunk.  I have a server that forwards it's log to Splunk.  I want Splunk to alert me when someone, that is not one of the three users, tries to log in.  I want to define which three users are allowed and if anyone besides them tries I will be notified.  I do not want failed attempts.  Just when it is someone I do not know.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kbohlken,

what kind of server have you: windows or Linux?

if you are speaking of a windows server, you could run something like this:

index=wineventlog EventCode=4624 User_Name!="*SERVI*" AND User_Name!="SYST*"
| stats count BY Account_name

if you are speaking of a Linux server, you could run something like this:

index=os "accepted password"
| stats count BY user

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...