Splunk Search

Need help with regular expression to extract successful and failed logins from /var/log/secure in a search

Splunk_Ryan
Explorer

I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure.

03/06/2021
17:29:44.000

Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

03/06/2021
00:13:41.000

Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

The search output statistics should be like these:

Host, User, Source IP, Source Port, Protocol
10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2

 

Could anyone help to finish the search below? Much appreciated.

sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

 

Labels (2)
0 Karma
1 Solution

gcusello
Legend

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

View solution in original post

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Splunk_Ryan 

You should try something like this.

YOUR_SEARCH | rex field=_raw "for\s(?<user>.*)\sfrom\s(?<src>.*)\sport\s(?<port>\d+)\s(?<protocol>.*)$"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

gcusello
Legend

Hi @Splunk_Ryan,

you could use the following two regexes:

your_search
| rex "password\s+for\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/31nIJn/1 and https://regex101.com/r/31nIJn/2

Ciao.

Giuseppe

0 Karma

Splunk_Ryan
Explorer

Thanks gcusello,

 What if the failed login attempt has one more form like this:

 

03/06/2021
17:29:44.000

Jun 3 17:29:44 ntp sshd[9668]: Failed password for invalid user XXX from 192.168.XXX.XXX port 63568 ssh2

·         host = ntp 192.168.XXX.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

0 Karma

gcusello
Legend

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

Tags (1)
0 Karma

Splunk_Ryan
Explorer

Thanks again gcusello,

  It works!

0 Karma

gcusello
Legend

Hi @Splunk_Ryan,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by al the contributors 😉

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...