- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If a user can log in by ssh to HOST2 only from HOS...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two hosts: HOST1, HOST2. A user can log in by ssh to the HOST2 only from the HOST1.
I need to search logins to the HOST2, if user did not previously log in to HOST1.
Sample logs
Apr 21 19:02:30 HOST1 sshd[7710]: pam_unix(sshd:session): session closed for user root
Apr 21 19:01:46 HOST2 sshd[9897]: pam_unix(sshd:session): session closed for user root
Apr 21 19:01:46 HOST2 sshd[9897]: Received disconnect from 192.168.0.43: 11: disconnected by user
Apr 21 18:20:01 HOST2 sshd[9897]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 21 18:20:00 HOST2 sshd[9897]: Accepted password for root from 192.168.0.43 port 35017 ssh2
Apr 21 18:19:35 HOST1 sshd[7710]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 21 18:19:35 HOST1 sshd[7710]: Accepted password for root from 192.168.0.72 port 49680 ssh2
tried the transaction command, but didn't catch how to make a proper request.
anybody did the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have two fields for host and IP and IP of HOST1 is 192.168.0.43, did you try something like this:
host=HOST2 sshd NOT IP=192.168.0.43
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=blah HOST1 OR HOST2 pam_unix session opened
|rex field=_raw "\d+\sPM\s(?\w+)"
|rex field=_raw "for\suser\s(?\w+)"
|transaction startswith=HOST1 endswith=HOST2 maxevents=2 keepevicted=true
|where closed_txn==0
this will give you any user that opened a session in host2 but not in host1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is almost exactly what i wanted thx.
rex field=_raw "\d+\sPM\s(?\w+)" returns an error in my splunk 6.2
so, final search string for me:
index=foo pam_unix session opened | transaction **user** startswith=*HOST1* endswith=*HOST2* maxevents=2 keepevicted=true | where closed_txn==0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have two fields for host and IP and IP of HOST1 is 192.168.0.43, did you try something like this:
host=HOST2 sshd NOT IP=192.168.0.43
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ou, that is very simple, thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome; if it works feel free to accept the answer 😉
If you need help to get the field extracted automatically, check the docs http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
