Splunk Search

Log correlation for login without active (VPN) session

rgerritse
New Member

First post so: hi all!

I need some help to set up an alert if a user logs in on one of our systems without an active VPN. To do this I want to correlate some events from the VPN device:

VPN connect:
{"syslog_program":"%ASA-4-722051","type":"syslog","syslog_severity":"warning","received_by":"redis","received_from":"hostname","time_lag":1289,"@version":"1","host":"vpn-005","syslog_pri":"164","syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"message":"<164>2018-10-01T03:07:11+02:00 vpn-005.bolcom.net %ASA-4-722051: Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","tags":["grok","pri","asnum","geoip","date","mutate_msg","mutate_host","cleanup"],"logline_size":178,"@message":"Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","@timestamp":"2018-10-01T01:07:11.000Z","processed_by":"hostname","vpn":{"internal_ip":"1.2.3.4","as":{"name":"<redacted>","num":"<redacted>"},"geoip":{"country_name":"<redacted>","country_code":"XX","region_name":"Provincie XX","city_name":"XX","location":["XX","XX"]},"user":"user","group":"from-home","ip":"1.2.3.4"},"received_at":"2018-10-01T01:07:12.264Z"}  
VPN disconnect:
{"syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"syslog_program":"%ASA-4-722037","message":"<164>2018-10-01T23:51:11+02:00 host.fqdn.tld %ASA-4-722037: Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","type":"syslog","syslog_severity":"warning","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":157,"@message":"Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","received_by":"redis","received_from":"shd-logredis-adm-002","time_lag":726,"@timestamp":"2018-10-01T21:51:11.000Z","processed_by":"shd-logstash-app-007_adm2","received_at":"2018-10-01T21:51:11.703Z","@version":"1","host":"vpn-007","syslog_pri":"164"}

And I want to correlate this to SSH logins:

{"syslog_pid":"20917","syslog_severity_code":6,"syslog_facility":"security/authorization","syslog_facility_code":10,"syslog_program":"sshd","message":"<86>2018-10-01T06:47:39.171948+02:00 hostname sshd[20917]: Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","type":"syslog","syslog_severity":"informational","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":139,"@message":"Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","received_by":"redis","received_from":"hostname","time_lag":151,"@timestamp":"2018-10-01T04:47:39.171Z","processed_by":"shd-logstash-app-009_adm2","received_at":"2018-10-01T04:47:39.290Z","@version":"1","host":"hostname","syslog_pri":"86"}

I extract the username from the SSH login events using a regex as ssh_user. What I have so far is a search that should create transactions for the VPN logs and coalesce both user fields:

syslog_program="sshd" OR syslog_program="%asa-4*" | eval user = coalesce(ssh_user, user) | transaction user

This is where I'm stuck. Is this creating a proper transaction for Splunk to work with and how do I create an alert for users without active VPN from here.

0 Karma

rgerritse
New Member

I decided to stop using transactions for a while and see if I could get anything that works... sorta. So this is what I have now:

syslog_program="sshd" NOT [search syslog_program="%asa-4*" | fields vpn.user | rename vpn.user AS ssh_user]

And this correctly shows users logging in to SSH without events on VPN. \o/

Problem is that this does not take into account if the event was a connect or disconnect event.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...