- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jagadeeshm
Contributor
03-15-2017
10:51 PM
Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?
source_ip is easy because of the format
user is a little bit tricky because of different format of log lines
Example events -
Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)
In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-16-2017
02:07 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-16-2017
02:07 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
03-16-2017
01:10 AM
Hi jagadeeshm,
have you seen:
- Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833/);
- Splunk App for Unix and Linux (https://splunkbase.splunk.com/app/273/#/overview);
- Linux Auditd (https://splunkbase.splunk.com/app/2642/#/overview).
In these apps you can find all the usual definition for unix.
Bye.
Giuseppe
