Splunk Search

Search & rex to munge log data for execution of "sudo" commands

rmenr
New Member

I'm looking to create a custom search for dashboard I'm working on related to security. The idea is to detect the execution or attempted execution of sudo commands, and to be alerted or notified when there are failed attempts.

My goal is to create a search that displays only the relevant and desired pieces of datum, so that it's simple and easy to read so that I can pivot that into a daily/weekly/monthly report.

Of course, we'll add notification via e-mail for sudo failures too.

Now, the trouble is that I wrote this monstrosity of a regex and I also wrote a very SIMPLE search string, and they are both producing the SAME results...so you can imagine how frustrated I am for busting my butt on the regex.

Here are the two searches I've composed:

source="/var/log/auth.log" | search sudo NOT "/usr/sbin/megacli"

VS

source="/var/log/auth.log" | rex "(?[A-Z]\w+\s+\d\s\d{2}:\d{2}:\d{2})\s(?[a-z.]).(?(?<=:)\s+\w+\s*(?=:)).(?(?<=:)[\s\d\w]+(?=;)).(?(?<=COMMAND=).*)" | search sudo NOT "/usr/sbin/megacli"

Why do the search results appear the same?

Tags (4)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The rex command does not do anything to the results and events except add new extracted fields. It would not transform or change the raw text, or remove stuff. Your search command doesn't care about these new fields, so of course it is just going to do the same whether they exist or not.

BTW, it would also give you the same results (and run faster) with:

source="/var/log/auth.log" sudo NOT "/usr/sbin/megacli"

I'm not sure what you're trying to do, but either you mean to use the regex command, or else your last command should either be something like ... | where command=="blahblah" or ... | search servername="abcdef"?

Or maybe you're looking for the fields or table commands?

rmenr
New Member

source="/var/log/auth.log" sudo NOT "/usr/sbin/megacli" command NOT "nessus*" is what I'm working with now, but I do have a question -->

This specific search is not catching failed "sudo su -" attempts which show up in the logs like this:

sudo: pam_krb5(sudo:auth): authentication failure; logname=redacted uid=0 euid=0 tty=/dev/pts/1 ruser=redacted rhost=

How can I get it to catch those as well?

Again, many thanks!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...