Solved: Authentication extraction for Unix add-on and Ente...

mdessus_splunk · ‎04-01-2015

For the ones who use the Unix addon for extracting authentication events for Enterprise Security, and some events are not recognized, mainly on Ubuntu Linux (not tested on other distribs), here's the one I've added. Feel free to correct/complement them.

To be added in etc/apps/Splunk_TA_nix/local/props.conf:

[source::/var/log/auth.log]
EXTRACT-app_and_dest = ^\w+ +\d+ \d\d:\d\d:\d\d (?<dest>\w+) (?<app>\S+)\[\d+\]
EXTRACT-ssh_details = (?<vendor_action>Failed|Accepted) \w+ for (invalid user )*(?<user>\S+) from (?<src>\d+\.\d+\.\d+\.\d+) port (?<src_port>\d+)
EXTRACT-sudo_open_details = ^\w+ +\d+ \d\d:\d\d:\d\d \w+ (?<app>sudo): pam_unix\(sudo:session\): (?<vendor_action>session \w+) for user (?<user>\w+) by (?<src_user>\w+)
LOOKUP-action_for_linux_auth = nix_action_lookup vendor_action OUTPUTNEW action

mdessus_splunk · ‎04-01-2015

The answer is in the question 🙂

View solution in original post

ycourbe · ‎08-18-2017

I slightly changed EXTRACT-sudo_open_details so it also works with "su"

^\w+ \d+ \d{2}:\d{2}:\d{2} (?<src>.+) (?<app>\w+).*: pam_unix\(.+:session\): (?<vendor_action>session \w+) for user (?<user>\w+)

For the rest it works perfect with my RHEL. Thanks !

mdessus_splunk · ‎04-01-2015

The answer is in the question 🙂

Authentication extraction for Unix add-on and Enterprise Security (tested un Ubuntu Linux)

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform