How I can extract two diferent events in a single ...

cservin81 · ‎10-18-2019

Im new in this and I need some help with this

for example I need to correlate two events from linux.

my first search is

"svr-jrs-mat" rhost="*"

results: Oct 18 16:48:10 svr-jrs-mat-01 sshd[12160]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.11.61 user=aaa

where only I need rhost=10.0.11.61 and user=aaa for my second result

sourcetype=linux_secure "svr-jrs-mat" parametro="*"

result: Oct 18 16:48:21 svr-jrs-mat-01 sudo: aaa : TTY=pts/1 ; PWD=/home/aaa ; USER=root ; COMMAND=/bin/cat /var/log/secure

the thing is I need to correlate and know what user from what IP do sudo and the command in real time

I try with eval and rex but no result, thanks

regards

woodcock · ‎10-20-2019

Try this:

index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="linux_secure" AND "svr-jrs-mat" AND parametro="*" AND [search index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="AndSourcetypeToo" AND "svr-jrs-mat" rhost="*" | table rhost user | format]

richgalloway · ‎10-19-2019

I'm interested in knowing what eval and rex commands you've tried. Have you tried something like this?

"svr-jrs-mat" (rhost="*" OR sourcetype=linux_secure parametro="*")
| rex "sudo: (?<sudo>\w+)
| eval user=coalesce(user, sudo)
| stats values(*) as * by user
| table _time user rhost COMMAND

---
If this reply helps you, Karma would be appreciated.

How I can extract two diferent events in a single search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?