Splunk Search

Need help with regular expression to extract successful and failed logins from /var/log/secure in a search

Splunk_Ryan
Explorer

I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure.

03/06/2021
17:29:44.000

Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

03/06/2021
00:13:41.000

Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

The search output statistics should be like these:

Host, User, Source IP, Source Port, Protocol
10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2

 

Could anyone help to finish the search below? Much appreciated.

sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

View solution in original post

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Splunk_Ryan 

You should try something like this.

YOUR_SEARCH | rex field=_raw "for\s(?<user>.*)\sfrom\s(?<src>.*)\sport\s(?<port>\d+)\s(?<protocol>.*)$"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

you could use the following two regexes:

your_search
| rex "password\s+for\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/31nIJn/1 and https://regex101.com/r/31nIJn/2

Ciao.

Giuseppe

0 Karma

Splunk_Ryan
Explorer

Thanks gcusello,

 What if the failed login attempt has one more form like this:

 

03/06/2021
17:29:44.000

Jun 3 17:29:44 ntp sshd[9668]: Failed password for invalid user XXX from 192.168.XXX.XXX port 63568 ssh2

·         host = ntp 192.168.XXX.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

View solution in original post

Tags (1)
0 Karma

Splunk_Ryan
Explorer

Thanks again gcusello,

  It works!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by al the contributors 😉

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!