Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Failed Login to OSX

osx_secure

Description

Submitted by ItsJohnLocke

The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine:
0 0 
sourcetype=osx_secure | rex "authinternal\sfailed\sto\sauthenticate\suser\s(?\S+)" |eval Date=strftime(_time, "%Y/%m/%d") | stats count by USER, host, Date | sort - count

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom