Solved: Re: Need help with regular expression to extract s...

Splunk_Ryan · ‎06-04-2021

I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure.

03/06/2021
17:29:44.000

Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2

· host = 10.0.0.XXX

· source = /var/log/secure

· sourcetype = linux_secure

03/06/2021
00:13:41.000

Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2

· host = 10.0.0.XXX

· source = /var/log/secure

· sourcetype = linux_secure

The search output statistics should be like these:

Host, User, Source IP, Source Port, Protocol
10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2

Could anyone help to finish the search below? Much appreciated.

sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal

sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal

gcusello · ‎06-06-2021

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

View solution in original post

kamlesh_vaghela · ‎06-04-2021

@Splunk_Ryan

You should try something like this.

YOUR_SEARCH | rex field=_raw "for\s(?<user>.*)\sfrom\s(?<src>.*)\sport\s(?<port>\d+)\s(?<protocol>.*)$"

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

gcusello · ‎06-04-2021

Hi @Splunk_Ryan,

you could use the following two regexes:

your_search
| rex "password\s+for\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/31nIJn/1 and https://regex101.com/r/31nIJn/2

Ciao.

Giuseppe

Splunk_Ryan · ‎06-06-2021

Thanks gcusello,

What if the failed login attempt has one more form like this:

03/06/2021
17:29:44.000

Jun 3 17:29:44 ntp sshd[9668]: Failed password for invalid user XXX from 192.168.XXX.XXX port 63568 ssh2

· host = ntp 192.168.XXX.XXX

· source = /var/log/secure

· sourcetype = linux_secure

gcusello · ‎06-06-2021

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

Splunk_Ryan · ‎06-06-2021

Thanks again gcusello,

It works!

gcusello · ‎06-06-2021

Hi @Splunk_Ryan,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by al the contributors 😉

Need help with regular expression to extract successful and failed logins from /var/log/secure in a search

field extraction

regex

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk