I have a small environment. I have 3 users that are allowed to login to a particular server. If I search:
index=<index name> user=<username> OR user=<username> OR user=<username>
I find all instances of them logging in. How can I find users that are not equal to those 3 users? I want to set up an alert that will let me know when someone other than those 3 are trying to log in.
Hi @kbohlken,
if you're speaking of login to Splunk, you can use this search:
Splunk_Audit eventtype
index=_audit sourcetype = audittrail action="login attempt"
Splunk_Logfail
eventtype=Splunk_Audit info=failed
Splunk_Login
eventtype=Splunk_Audit info=succeeded
Ciao.
Giuseppe
Not logging into Splunk. I have a server that forwards it's log to Splunk. I want Splunk to alert me when someone, that is not one of the three users, tries to log in. I want to define which three users are allowed and if anyone besides them tries I will be notified. I do not want failed attempts. Just when it is someone I do not know.
Hi @kbohlken,
what kind of server have you: windows or Linux?
if you are speaking of a windows server, you could run something like this:
index=wineventlog EventCode=4624 User_Name!="*SERVI*" AND User_Name!="SYST*"
| stats count BY Account_name
if you are speaking of a Linux server, you could run something like this:
index=os "accepted password"
| stats count BY user
Ciao.
Giuseppe