Hello Splunk Community,
I am new to Splunk so please bear with me. My end goal is to construct a dashboard summary of our fail2ban intrusion prevention framework. The current panel I am attempting to construct should correlate the list of temporarily banned IPs from fail2ban with the corresponding SSH logs. I could then for example pull out the attempted usernames or the total count of SSH attempts from a particular IP.
A sample of a fail2ban log and a corresponding SSH logs:
May 28 11:39:33 [hostname] fail2ban.actions: WARNING [ssh] Ban 42.121.111.136
May 28 11:39:32 [hostname] sshd[9748]: Failed password for invalid user HonestQiao from 42.121.111.136 port 14130 ssh2
May 28 11:39:28 [hostname] sshd[9746]: Failed password for invalid user 5s1admin from 42.121.111.136 port 13918 ssh2
May 28 11:39:24 [hostname] sshd[9744]: Failed password for root from 42.121.111.136 port 13734 ssh2
I can retrieve all of the desired events and extract the banned IPs with the following search:
(process=sshd "failed password") OR process=fail2ban.actions | rex "fail2ban.actions: WARNING .* Ban (?<fail2ban_ip>\d+\.\d+\.\d+\.\d+)"
I then want to drill down to only viewing the SSH logs from the banned IPs. I believe this can be done with the transaction command but my attempts to filter by fail2ban_ip have proven fruitless. I tried:
... | transaction fail2ban_ip
which groups by banned IP fine but only shows the fail2ban logs instead of SSH. Using "src_ip" or "fail2ban_ip, src_ip" as the transaction field list shows SSH logs for all IPs (including unbanned) or an empty result respectively.
I browsed quite a few transaction examples but couldn't find something that helped me out. Any advice on how to use transaction or how to better approach the problem would be greatly appreciated.
... View more