Re: How to search syslog data to find if 3 IP sour...

wingfieldj · ‎07-28-2016

Using syslog data, how do I find if 3 systems go to a common webpage in a 48 hour period?

I have 3 IP sources with OR between them in a search...

Do you pipe this to associate and find the destination IP addresses in common?

Rare values do not seem to work...

Jim W.

sundareshr · ‎08-15-2016

Try this to list all dest_ip visited by all three src_ip in the past 2 days

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC earliest=-2d@d | stats dc(src_ip) as src by dest_ip | where src=3 | table dest_ip

wingfieldj · ‎08-15-2016

thanks for your responses....
so new to complex searches...

Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware

So I could set a custom filter for the block of time...to remove that complexity.

I tried the following - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=2d _time  |  stats dc(src_ip) as ips by  dest_ip

The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=120m _time  |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - Error in Stats command

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC |  stats count(src_ip) as COUNT dst_ip src_ip

The following with custom time set results in 10085

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC| stats count(src_ip) as COUNT

somesoni2 · ‎08-15-2016

Can you check if the field dest_ip existing in your events and both src_ip and dest_ip appears in the same event? Your first two searches should've returned result if both fields exists.

wingfieldj · ‎08-15-2016

yes src_ip and dst_ip are in the same event

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | top 10 dst_ip

results in 10 ip addresses...and clicking on the ip address will show the events for each of the addresses in the search and some additional addresses...so that is almost it ( not exclusive to the three listed ips)

somesoni2 · ‎08-15-2016

There you go, the field name that you were trying is different in your logs (it's dst_ip instead of dest_ip).

This should work now

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dst_ip

somesoni2 · ‎07-28-2016

Without knowing much about your data/queries, give this a try. This is assuming src_ip and dest_ip fields are extracted.
Update
Updating the field name per comment below

index=foo sourcetype=bar src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 
| bucket span=2d _time | stats dc(src_ip) as ips by _time dst_ip | where ips=3

JDukeSplunk · ‎07-28-2016

Sample data would be good.

I usually have to enclose my OR searches.

 (10.0.0.0 OR 10.0.0.1 OR 10.0.0.2)

Even better if your fields are extracted. Source and destination IP.

yourbasesearch | stats count(sourceip) as COUNT destinationip sourceip

somesoni2 · ‎07-28-2016

Please post some sample data, queries that you tried so far and expected output.

How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024