I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure.
03/06/2021 | Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2 · host = 10.0.0.XXX · source = /var/log/secure · sourcetype = linux_secure |
03/06/2021 | Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2 · host = 10.0.0.XXX · source = /var/log/secure · sourcetype = linux_secure |
The search output statistics should be like these:
Host, User, Source IP, Source Port, Protocol
10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2
Could anyone help to finish the search below? Much appreciated.
sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal
sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal
Hi @Splunk_Ryan,
in this case, please, try this:
your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol
that you can test at https://regex101.com/r/x3iWWD/1
Ciao.
Giuseppe
You should try something like this.
YOUR_SEARCH | rex field=_raw "for\s(?<user>.*)\sfrom\s(?<src>.*)\sport\s(?<port>\d+)\s(?<protocol>.*)$"
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Hi @Splunk_Ryan,
you could use the following two regexes:
your_search
| rex "password\s+for\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol
that you can test at https://regex101.com/r/31nIJn/1 and https://regex101.com/r/31nIJn/2
Ciao.
Giuseppe
Thanks gcusello,
What if the failed login attempt has one more form like this:
03/06/2021 | Jun 3 17:29:44 ntp sshd[9668]: Failed password for invalid user XXX from 192.168.XXX.XXX port 63568 ssh2 · host = ntp 192.168.XXX.XXX · source = /var/log/secure · sourcetype = linux_secure |
Hi @Splunk_Ryan,
in this case, please, try this:
your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol
that you can test at https://regex101.com/r/x3iWWD/1
Ciao.
Giuseppe
Thanks again gcusello,
It works!
Hi @Splunk_Ryan,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by al the contributors 😉