×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
brahimmouhdi
New Member
Member since: ‎09-12-2015
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-12-2015
Activity Feed
Topics I've Started
View All

Re: sshd transactions

by in Splunk Search
‎09-12-2015 11:25 AM
‎09-12-2015 11:25 AM
So, I have something working but it is not pretty; first I extract a field called cpid from "Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508" type rows. Then use rename to overwrite the pid field with the cpid value and the transactions work for both root and non root users :). index=secure "by user" OR "Accepted" OR "child" | rename cpid as pid | transaction pid startswith="Accepted" endswith="by user" So, it works but I would still appreciate a cleaner solution? ... View more

sshd transactions

by in Splunk Search
‎09-12-2015 05:44 AM
‎09-12-2015 05:44 AM
Hi, I am playing with secure.log entries for sshd and am able to find transactions based on pid from below; Sep 12 13:15:41 www sshd[19475]: Accepted password for root from a.b.c.d port 53966 ssh2 Sep 12 13:15:45 www sshd[19475]: Received disconnect from a.b.c.d: 11: disconnected by user index=secure | transaction pid startswith="Accepted" endswith=" by user" However for non root users a child process is spawned and a transaction looks like this; Sep 12 13:16:03 www sshd[19502]: Accepted password for user from a.b.c.d port 53967 ssh2 Sep 12 13:16:03 www sshd[19502]: User child is on pid 19508 Sep 12 13:16:09 www sshd[19508]: Received disconnect from a.b.c.d: 11: disconnected by user Now the whole pid thing breaks down and I am not sure how to create a transaction for this case, let alone a search command that can deal with both cases. Any pointers are highly appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM