Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sshd transactions

brahimmouhdi
New Member
‎09-12-2015 05:44 AM

Hi,

I am playing with secure.log entries for sshd and am able to find transactions based on pid from below;

Sep 12 13:15:41 www sshd[19475]: Accepted password for root from a.b.c.d port 53966 ssh2
Sep 12 13:15:45 www sshd[19475]: Received disconnect from a.b.c.d: 11: disconnected by user

index=secure | transaction pid startswith="Accepted" endswith=" by user"

However for non root users a child process is spawned and a transaction looks like this;

Sep 12 13:16:03 www sshd[19502]: Accepted password for user from a.b.c.d port 53967 ssh2
Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508
Sep 12 13:16:09 www sshd[19508]: Received disconnect from a.b.c.d: 11: disconnected by user

Now the whole pid thing breaks down and I am not sure how to create a transaction for this case, let alone a search command that can deal with both cases.

Any pointers are highly appreciated.

Tags (1)
0 Karma
Reply

brahimmouhdi
New Member
‎09-12-2015 11:25 AM

So, I have something working but it is not pretty;

first I extract a field called cpid from "Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508" type rows.

Then use rename to overwrite the pid field with the cpid value and the transactions work for both root and non root users :).

index=secure "by user" OR "Accepted" OR "child" | rename cpid as pid | transaction pid startswith="Accepted" endswith="by user"

So, it works but I would still appreciate a cleaner solution?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...