About jcorkey

woodcock · ‎09-09-2017

Use a cron like this: 01 23 * * * * /bin/cat /etc/passwd | /bin/awk -F: 'BEGIN {OFS=","; print "UID,login,FullName"} {print $3,$1,$5}' > /tmp/eraseme.csv && /bin/cat /tmp/splunk_user_lookup.csv /tmp/eraseme.csv | sort -ru > /tmp/eraseme2.csv && /bin/mv -f /tmp/eraseme2.csv /tmp/splunk_user_lookup.csv && /bin/scp Your scp stuff here to copy this to your Search Head or Deployer or Deployment Server and run reload deploy-server or whatever too if you need to

DUThibault · ‎12-05-2017

And how does one disable the search? At first I thought it would be on the Search or Configure panels of Linux Auditd but no...You have to go to 'Settings: (Knowledge) Searches, reports, and alerts', and then filter by 'App: Linux Auditd Technology Add-On (TA_linux-auditd)'. Locate the "Update learnt_posix_identities KVStore collection" search and then choose Disable from the Edit drop-down.

DalJeanis · ‎08-31-2017

You are telling us your conclusions rather than your business requirements. Here's a total stab in the dark. your search | stats STUFF by user | lookup my_lookup_script username AS user | stats MORESTUFF by My_Field If that is not the strategy that you are looking for, then explain the following things - 1) what is in the raw fields to be aggregated 2) what is the actual field being looked up, and the output fields 3) what happens when you put the lookup before the first stats, and why do you think that is incorrect. One other thing you can check first - is the capitalization of user field values consistently the same as are in the lookup table? If not, consider using upper() or lower() to make it so.

jcorkey · ‎08-28-2017

linux users NOT splunk users...I edited my questions above. And thanks I'll look into your suggestion.

adonio · ‎08-25-2017

if you have the data, everything is possible, i suggest to open a new question, title may be "help finding all users on my system" try and describe the data you have in Splunk, is it windows? linux? other? how do you capture the unique values for users? it can be something like: ... | stats values(user) as users | mvexpand users or ... | dedup user | table user pleanty of ways to achieve

vasanthmss · ‎10-19-2018

Glad that works, Accept the answer.

jcorkey · ‎08-10-2017

Is there a way to have the script run whenever the search is ran which will then populate the CSV and then use the CSV in the search rather than have it scheduled periodically?

jkat54 · ‎08-07-2017

< = < > = >

niketn · ‎08-04-2017

In order to have earliest and latest time tokens available from the selected row, you would need to make sure they are present in your table's transforming command as well. | stats min(_time) as earliestTime max(_time) as latestTime .... Then you can use <fields> simpleXML tag for the <table> to display only the required fields (i.e. hide the epoch time fields from display) and yet be able to use them as tokens <fields>user, "Switched to different user account","Added new user to group","Created new user"</fields> Finally in your <drilldown> event handler, use tokens $row.earliestTime$ and $row.latestTime$ . For example one of the query is modified as below: <link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&earliest=$row.earliestTime$&latest=$row.latestTime$</link>

niketn · ‎08-04-2017

@jcorkey, change from distinct count i.e. dc() to count i.e. count() | stats count(rectype4) as "Executed sudo command", count(rectype3) as "Switched to different user account" , count(rectype2) as "Added new user to group", count(rectype1) as "Created new user" by user

woodcock · ‎08-03-2017

Don't forget to upvote any helpful answers and either submit your own to Accept or Accept the one that really contained the heart of the answer, so that the question is closed.

cmerriman · ‎08-03-2017

you need to set the token from your search. add <set token="user">$click.value2$</set> in your drilldown and use that token in user=$user$

knielsen · ‎08-03-2017

Can you try |u to escape URL special chars? I usually set me a token with my drilldown search, so something in the spirit of this: <drilldown target="_blank"> <set token="drill">search?q=index=* host=* sourcetype="*" user="*" useradd "new user:"| rex "^[^=\n]*=(?P<userOfInterest>\w+)"&earliest=-24h@h&latest=now</set> <link>$drill|u$</link> </drilldown>

niketn · ‎08-02-2017

You can add <condition> for clicked field names and then set your corresponding Search String as token. <drilldown> <condition field="Switched to different user account"> <set token="queryString">$row.Switched to different user account$</set> </condition> <condition field="Added new user to group"> <set token="queryString">$row.Added new user to group$</set> </condition> <condition field="Created new user"> <set token="queryString">$row.Created new user$</set> </condition> <condition>  </condition> </drilldown> For simplicity's sake I have added the clicked Column's value as the token, you can set your own. Also Drilldown has been disabled for columns other than the three mentioned in the question by using empty condition block. Refer to the Splunk Documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#set

gcusello · ‎08-02-2017

Hi jcorkey, if the format of your logs is the one you described in your question, Splunk already extracts acct field. otherwise you have to use a regex like the following | rex "acct\=\"(?<user>[^\"]*)\"" if it doesn'r run, please share an example of your logs. Bye. Giuseppe

DalJeanis · ‎08-02-2017

Think of it this way... A user ID is like a key that allows you to find the user account itself. The user name is just a description of the account, not necessarily the name of a person. The user name could be, literally, "Service Account 23 for Marketing Initiatives under Jane Smith's hierachy" In the text on each log record, the user name would be redundant. (I'm not saying there is never redundant data on log records, I'm especially not saying that about Windows log events, but still...) So, you'll need to contact your security folks to find out what process you need to use to enrich the log data. Maybe they'll give you a daily or weekly dump of the AD files, maybe they'll give you the ability to read them directly, maybe they'll tell you you're not going to get that info. If they refuse, then you'll have to start looking for ways to correlate the userids with their user names. There usually ARE events that would have user names, but sometimes you'll have to track back the IP address or use other clues to run it all down. (Which is a large part of why various SIEM tools, including Splunk Enterprise Security, exist...) Start by researching the various events with your own ID and name, since you'll be able to read them with very little confusion --assuming you're not named "John Green" or "Norton Windows".

DalJeanis · ‎08-01-2017

That's looking like unix log records. Your best bet is to take all the events from about 30 seconds before to ten seconds after and look at each one. Here's a set of log records I stole for reference off of stackexchange ... $ cat /var/log/auth.log | grep -i xyz Dec 18 18:54:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/useradd xyz Dec 18 18:54:51 pandya-desktop useradd[7763]: new group: name=xyz, GID=1002 Dec 18 18:54:51 pandya-desktop useradd[7763]: new user: name=xyz, UID=1002, GID=1002, home=/home/xyz, shell= Dec 18 18:55:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G group xyz Dec 18 18:55:57 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo xyz Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to group 'sudo' Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to shadow group 'sudo' Your search is keying off the last record. The immediately prior set of records indicate that the user involved in altering user xyz was USER=root . (Really helpful, right?) The one other thing I noticed, poking around a bit, is that sometimes there will be a logoff right after the person does this. You might see something like "connection closed by 1.2.3.4" . So, that could be a clue too.

DalJeanis · ‎07-31-2017

easy peasy ... multisearch [ Your search that finds user1 creating user2 | table _time user1 user2 | eval rectype="create"] [ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2 | eval rectype="group"] [ Your search that finds user1 becoming user2 | table _time user1 user2 | eval rectype= "switch"] | stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2| | where mvcount(rectype)=3 Note that to use multisearch , all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like ( Your search that finds user1 creating user2 ) OR (Your search that finds user1 adding user2 to group2) OR (Your search that finds user1 becoming user2) | eval rectype=case(something that figures out search 1, "create", something that figures out group 2, "group", something that figures out group 3, "switch", true(), "booboo") | eval user1=coalesce(fieldfrom group1, field from group2, field from group3) | eval user2=coalesce(fieldfrom group1, field from group2, field from group3) | eval group2=(field from group2) | stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2| | where mvcount(rectype)=3 OR rectype="booboo"

mattymo · ‎07-27-2017

I used this to find my user using visudo to add a user to wheel. I am sure there a few different conditions that you'd hunt for... index=* host=* source=/var/log/secure visudo OR usermod Replace with your commands or logic accordingly. I use the nix TA found here to ensure my field extractions (Splunk PS configs, you can use whatever you like): https://bitbucket.org/SPLServices/splunk_ta_nix/src While on the topic of authentication and privilege, check out this wicked auth app by @dshpritz https://splunkbase.splunk.com/app/3639/

DalJeanis · ‎07-27-2017

marked as code for you

klaxdal · ‎07-26-2017

Hmmm 🙂 Give these a shot ? Not exactly a replacement however there is some decent examples . http://gosplunk.com/category/linuxsecure/

klaxdal · ‎07-26-2017

Assume you have run the " Configure Dashboard " ? Try running it for " All time " this will populate your learnt_posix_identities KVStore collection . From there - to test TTY , explicitly enter a POSIX user ( rather than use the wild card ) in the appropriate field on the User TTY dashboard . Works well in my environment

woodcock · ‎05-29-2019

Make sure that you are using the very latest version of the app which has breakouts/searches based on sourcetype/data so you can turn your question inside out and ask I have this sourcetype./data, what content can I exploit? There has been a huge amount of work in this are in the latest releases so this is fully built-in now.

hkumar8 · ‎08-22-2017

Run the search and remove the user query from it and see if there are any logs where user is not "unknown"

woodcock · ‎07-20-2017

The documentation is wrong. You should assign the sourcetype in inputs.conf on the forwarder (NOT in props.conf ). Then don't bother overriding it at all.

Posts	41
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎07-14-2017

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

Need help forming search string to show when users...

Why is my Linux Auditd app confusing the UID's wit...

Why can't I use my lookup command after stats comm...

Help finding all users on my system

Need help creating search to list all existing use...

How can I retrieve a list of LDAP users in my Splu...

Need help creating/configuring CSV lookup

How can I escape the < > signs so that the token w...

Need help editing custom drilldown time range of e...

Need help editing my search string so it displays ...

Re: Need help forming search string to show when u...

Re: Why is my Linux Auditd app confusing the UID's...

Re: Why can't I use my lookup command after stats ...

Re: Help finding all users on my system

Re: Need help creating search to list all existing...

Re: How can I retrieve a list of LDAP users in my ...

Re: Need help creating/configuring CSV lookup

Re: How can I escape the < > signs so that the tok...

Re: Need help editing custom drilldown time range ...

Re: Need help editing my search string so it displ...

Re: Need help adding token to my custom drilldown

Re: Need help editing custom drill down

Re: Problem with my custom drill down source code

Re: editing custom drilldown in splunk web

Re: Need help forming regex to extract username fr...

Re: How to extract name of user when useradd comma...

Re: Need help to identify user field in my current...

Re: Need help correlating different events to meet...

Re: Need help forming my search query for linux_se...

Re: I need help with my search query

Re: Use Splunk security essentials with rhel logs

Re: Linux auditd app user tty configuration.

Re: How do I get data into the splunk's security e...

Re: Linux Auditd: Why is the app's system call das...

Re: Linux Auditd: How to override the default conf...