Splunk Search

If a user can log in by ssh to HOST2 only from HOST1, how to search logins to HOST2 if the user did not previously log in to HOST1?

vkor
New Member

I have two hosts: HOST1, HOST2. A user can log in by ssh to the HOST2 only from the HOST1.
I need to search logins to the HOST2, if user did not previously log in to HOST1.

Sample logs
Apr 21 19:02:30 HOST1 sshd[7710]: pam_unix(sshd:session): session closed for user root
Apr 21 19:01:46 HOST2 sshd[9897]: pam_unix(sshd:session): session closed for user root
Apr 21 19:01:46 HOST2 sshd[9897]: Received disconnect from 192.168.0.43: 11: disconnected by user
Apr 21 18:20:01 HOST2 sshd[9897]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 21 18:20:00 HOST2 sshd[9897]: Accepted password for root from 192.168.0.43 port 35017 ssh2

Apr 21 18:19:35 HOST1 sshd[7710]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 21 18:19:35 HOST1 sshd[7710]: Accepted password for root from 192.168.0.72 port 49680 ssh2

tried the transaction command, but didn't catch how to make a proper request.

anybody did the same?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Assuming you have two fields for host and IP and IP of HOST1 is 192.168.0.43, did you try something like this:

host=HOST2 sshd NOT IP=192.168.0.43

View solution in original post

aalanisr26
Path Finder
index=blah  HOST1 OR HOST2  pam_unix session opened
|rex field=_raw "\d+\sPM\s(?\w+)" 
|rex field=_raw  "for\suser\s(?\w+)" 
|transaction startswith=HOST1 endswith=HOST2 maxevents=2 keepevicted=true
|where closed_txn==0

this will give you any user that opened a session in host2 but not in host1

0 Karma

vkor
New Member

this is almost exactly what i wanted thx.
rex field=_raw "\d+\sPM\s(?\w+)" returns an error in my splunk 6.2
so, final search string for me:

index=foo pam_unix session opened | transaction **user** startswith=*HOST1* endswith=*HOST2* maxevents=2 keepevicted=true | where closed_txn==0
0 Karma

MuS
SplunkTrust
SplunkTrust

Assuming you have two fields for host and IP and IP of HOST1 is 192.168.0.43, did you try something like this:

host=HOST2 sshd NOT IP=192.168.0.43

vkor
New Member

ou, that is very simple, thank you

0 Karma

MuS
SplunkTrust
SplunkTrust

You're welcome; if it works feel free to accept the answer 😉
If you need help to get the field extracted automatically, check the docs http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...