Splunk Enterprise Security

Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

mdessus_splunk
Splunk Employee
Splunk Employee

For the ones who use the Unix addon for extracting authentication events for Enterprise Security, and some events are not recognized, mainly on Ubuntu Linux (not tested on other distribs), here's the one I've added. Feel free to correct/complement them.

To be added in etc/apps/Splunk_TA_nix/local/props.conf:

[source::/var/log/auth.log]
EXTRACT-app_and_dest = ^\w+ +\d+ \d\d:\d\d:\d\d (?<dest>\w+) (?<app>\S+)\[\d+\]
EXTRACT-ssh_details = (?<vendor_action>Failed|Accepted) \w+ for (invalid user )*(?<user>\S+) from (?<src>\d+\.\d+\.\d+\.\d+) port (?<src_port>\d+)
EXTRACT-sudo_open_details = ^\w+ +\d+ \d\d:\d\d:\d\d \w+ (?<app>sudo): pam_unix\(sudo:session\): (?<vendor_action>session \w+) for user (?<user>\w+) by (?<src_user>\w+)
LOOKUP-action_for_linux_auth = nix_action_lookup vendor_action OUTPUTNEW action
1 Solution

mdessus_splunk
Splunk Employee
Splunk Employee

The answer is in the question 🙂

View solution in original post

ycourbe
Engager

I slightly changed EXTRACT-sudo_open_details so it also works with "su"

^\w+ \d+ \d{2}:\d{2}:\d{2} (?<src>.+) (?<app>\w+).*: pam_unix\(.+:session\): (?<vendor_action>session \w+) for user (?<user>\w+)

For the rest it works perfect with my RHEL. Thanks !

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

The answer is in the question 🙂

Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...