Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sshd transactions

brahimmouhdi
New Member
‎09-12-2015 05:44 AM

Hi,

I am playing with secure.log entries for sshd and am able to find transactions based on pid from below;

Sep 12 13:15:41 www sshd[19475]: Accepted password for root from a.b.c.d port 53966 ssh2
Sep 12 13:15:45 www sshd[19475]: Received disconnect from a.b.c.d: 11: disconnected by user

index=secure | transaction pid startswith="Accepted" endswith=" by user"

However for non root users a child process is spawned and a transaction looks like this;

Sep 12 13:16:03 www sshd[19502]: Accepted password for user from a.b.c.d port 53967 ssh2
Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508
Sep 12 13:16:09 www sshd[19508]: Received disconnect from a.b.c.d: 11: disconnected by user

Now the whole pid thing breaks down and I am not sure how to create a transaction for this case, let alone a search command that can deal with both cases.

Any pointers are highly appreciated.

Tags (1)
0 Karma
Reply

brahimmouhdi
New Member
‎09-12-2015 11:25 AM

So, I have something working but it is not pretty;

first I extract a field called cpid from "Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508" type rows.

Then use rename to overwrite the pid field with the cpid value and the transactions work for both root and non root users :).

index=secure "by user" OR "Accepted" OR "child" | rename cpid as pid | transaction pid startswith="Accepted" endswith="by user"

So, it works but I would still appreciate a cleaner solution?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...