Successful Logons to WordPress Admin Area

Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your site: sourcetype=”access_combined” uri=”/wp-admin/admin-ajax.php?_fs_blog_admin=*” | iplocation clientip | stats sparkline latest(_time) as Latest_Date count(status) as count values(status) by uri, Country, Region, City, clientip | convert ctime(Latest_Date) | sort […]

Continue Reading →

Apache High Level Visitor Info

The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below. sourcetype=access_combined (referer_domain!=”https://gosplunk.com” AND referer_domain!=”http://gosplunk.com”) | iplocation clientip | stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count […]

Continue Reading →

Direct and Referred Apache Web Traffic

The following query will show all traffic to an Apache web server that is direct, meaning no referring site. sourcetype=”access_combined” referer=”-” | stats count The following query will show all traffic that is NOT direct, meaning only referring sites. sourcetype=”access_combined” referer!=”-” | stats count The following query is the same as above, but with a […]

Continue Reading →

Concurrent Users on Apache Web

I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods. Option 1 – Short time window (30 days or less) concurrent users for a span of 5 minutes. sourcetype=”access_combined” | timechart span=5m dc(clientip) as “Concurrent Users” Option 2 – […]

Continue Reading →

Detect ShellShock Attempts in Apache Logs

sourcetype=”apache:access” http_method=POST request=”*{ :;};*” OR request=”*/bin/*”   A very simple query to detect attempts at running Linux commands on an Apache web server.  The POST http request is where the command is injected.  By searching the “request” field for tell tale signs of the attempt you can understand when and where the attack is occurring […]

Continue Reading →

Apache access_logs status code reporting

index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status ###this query is to report on status code description##### index=apache source=”/var/log/httpd/access_log” | timechart count by status_description useother=f # Find Website Status Over time index=apache sourcetype=access_combined| timechart count by status_type limit=10 usenull=f # Reports on Webserver error 500. index=apache sourcetype=access_combined status_type=”Server Error” […]

Continue Reading →