Failed Login to OSX

The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine: sourcetype=osx_secure | rex “authinternal\sfailed\sto\sauthenticate\suser\s(?\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count

Continue Reading →

Successful Login to OSX

The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed! sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count

Continue Reading →