I guys! i would like to count the fail and success logons on my SFTP. The events are
Successfull Logins from different accounts:
[40] Sat 24Feb18 01:53:49 - (1809219) HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_SUCCESS: successful login
Failed logins from different accounts:
[31] Sun 25Feb18 20:05:03 - (1836845) SSH2_MSG_USERAUTH_FAILURE: login failed
[41] Sat 24Feb18 01:53:38 - (1809216) HTTP_OKAY (200): SESS_FAIL
So i made this search:
index="sftp" SSHCommand="MSG_USERAUTH_SUCCESS" OR http_command=LOGIN OR SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="*SESS_FAIL*" Event_Message="HTTP_OKAY (200): SESS_FAIL"
| eval type=IF(SSHCommand="MSG_USERAUTH_SUCCESS" OR (Event_Message="HTTP_LOGIN: user:*"),"SUCCESS", IF(SSHCommand="MSG_USERAUTH_FAILURE" OR Event_Message="HTTP_OKAY (200): SESS_FAIL","FAIL","OTHER"))
| stats list(Event_Message) by type
But it returns "other" values that star with:
HTTP_LOGIN: user: MYUSER; domain: cname.mydomain.com
any ideas?
My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.
My mistake it was that i forgotten the "" with "LOGIN".
Please cancel my question.