Splunk Search

Search Help for Failed Logins

Communicator

Hello,

I have this search string:

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR (EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") minutesago="20" | eval User_Name=coalesce(User_Name,Account_Name) | stats count by host, User_Name, Logon_Desc | sort -count | search count > 2

it alerts on failed logins across our windows servers. If there are >2 failed logins on a server by a user, it alerts.

What I would like, is it alerts on >2 failed logins on a server in the time period, regardless of the username. Right now it alerts if bsmith fails 3 times, but I want it to alert if someone is trying admin, administrator, and root. Three failed logins on a specific server instead of a specific username on a specific server.

However, the output I want is still the host, the username, and the logon type (which is simply a lookup for whether they are connecting via RDP, at the console, etc.). I need to know what usernames they are actually trying.

I cannot seem to tweak this the right way....

Thanks for any help.

Kevin

Tags (2)
0 Karma
2 Solutions

Splunk Employee
Splunk Employee

Seems you can do a conditional alert. Use the above search, drop the | search count > 2, condition it on stats sum(count) as count by host | where count > 3.

View solution in original post

Splunk Employee
Splunk Employee

Gerald's answer will work, but if you're running this ad-hoc (not in an alert):

| stats count,list(User_Name),list(Logon_Desc) by host

You can also use values() instead of list(). The difference is described here: http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonStatsFunctions

View solution in original post

Splunk Employee
Splunk Employee

Gerald's answer will work, but if you're running this ad-hoc (not in an alert):

| stats count,list(User_Name),list(Logon_Desc) by host

You can also use values() instead of list(). The difference is described here: http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonStatsFunctions

View solution in original post

Splunk Employee
Splunk Employee

Seems you can do a conditional alert. Use the above search, drop the | search count > 2, condition it on stats sum(count) as count by host | where count > 3.

View solution in original post