Splunk Search

Need help with regular expression to extract successful and failed logins from /var/log/secure in a search

Splunk_Ryan
Explorer

I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure.

03/06/2021
17:29:44.000

Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

03/06/2021
00:13:41.000

Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2

·         host = 10.0.0.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

 

The search output statistics should be like these:

Host, User, Source IP, Source Port, Protocol
10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2

 

Could anyone help to finish the search below? Much appreciated.

sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)"  | chart count BY host,user, source_ip, source_port, protocal

 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Splunk_Ryan 

You should try something like this.

YOUR_SEARCH | rex field=_raw "for\s(?<user>.*)\sfrom\s(?<src>.*)\sport\s(?<port>\d+)\s(?<protocol>.*)$"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

you could use the following two regexes:

your_search
| rex "password\s+for\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/31nIJn/1 and https://regex101.com/r/31nIJn/2

Ciao.

Giuseppe

0 Karma

Splunk_Ryan
Explorer

Thanks gcusello,

 What if the failed login attempt has one more form like this:

 

03/06/2021
17:29:44.000

Jun 3 17:29:44 ntp sshd[9668]: Failed password for invalid user XXX from 192.168.XXX.XXX port 63568 ssh2

·         host = ntp 192.168.XXX.XXX

·         source = /var/log/secure

·         sourcetype = linux_secure

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

in this case, please, try this:

your_search
| rex "password\s+for\s+(user|(invalid\s+user))\s+(?<User>\w+)\s+from\s+(?<Source_IP>\d+\.\d+\.\d+\.\d+)\s+port\s+(?<Source_Port>\d+)\s+(?<Protocol>\w+)"
| rex "host\s+\=\s+(?<Host>\d+\.\d+\.\d+\.\d+)"
| table Host User Source_IP Source_Port Protocol

that you can test at https://regex101.com/r/x3iWWD/1

Ciao.

Giuseppe

0 Karma

Splunk_Ryan
Explorer

Thanks again gcusello,

  It works!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunk_Ryan,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by al the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...