List IPs that had Successful and Failed SSH Attempts

The following query was discovered on stackoverflow. It performs the necessary regex field extractions to get a list of IPs associated with SSH login attempts.

Share This:

Comments

  1. Henry Guzman

    Hello, thanks for posting your query however it does not work for me. This the error I get:

    source=”*secure” process=sshd “password for” | rex field=_raw “(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)” |eval success=if(result==”Failed”,0,1) |stats count as total,sum(success) as success by ipaddr |where total!=success AND success!=0
    source=”*secure” process=sshd “password for” | rex field=_raw “(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)” |eval success=if(result==”Failed”,0,1) |stats count as total,sum(success) as success by ipaddr |where total!=success AND success!=0
    All time

    Error in ‘rex’ command: Encountered the following error while compiling the regex ‘(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)’: Regex: unrecognized character after (? or (?-
    The search job has failed due to an error. You may be able view the job in the Job Inspector.

    1. ehollima

      try something like this…

      index=”os” sshd_protocol=ssh2 action=* keyboard-interactive OR password
      | rex field=_raw “(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)”
      |eval success=if(result==”Failed”,0,1)
      |stats count as total,sum(success) as success by ipaddr
      |where total!=success AND success!=0

  2. ehollima

    in the regex:
    you need to add the “less than””action””greater than”
    you need to add the “less than””user””greater than”
    you need to add the “less than””src””greater than”

    this isn’t my favorite way of explaining regex…I’m learning and html doesn’t like it

Leave A Comment?