Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors. Please comment if you have any issues! <form> <label>Audit All Hosts</label> <fieldset submitButton=”false”> […]
Repeated Unsuccessful Logon Attempts in Linux
The following Splunk search query will return results for failed login attempts in a Linux environment for a specified time range. The regular expressions are defined within the search string, however if you already extracted the necessary fields you can ignore the regex section. sourcetype=linux_secure | eval Date=strftime(_time, “%Y/%m/%d”) | rex “.*:\d{2}\s(?<hostname>\S+)” | rex […]
Linux Cron Job Information
This splunk query example uses regex (regular expressions) to extract information on Linux cron jobs. *Note* this query has not been extensively tested sourcetype=”cron” | eval Date=strftime(_time, “%Y/%m/%d”) | rex “.*:\d{2}\s(?<hostname>\S+)” | rex “]:\sfinished(?<Info>.*)” | stats count by Date, hostname, Info
Escalation of Privileges via SU in Linux
The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below. *NOTE* if the host field is being autoextracted (for instance […]
Number of Hosts the Root Account was Detected on
The following splunk query example will return the total number of hosts the Root account was detected on in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname […]
Top 10 Most Active Hosts in a Linux Environment
The following splunk query example will return the top 10 most active hosts in a given time range. Active in this instance is determined simply the number of log entries. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and […]
Count of Unique Hosts in Linux
The following splunk query example will return a unique count of hosts in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” | […]
List of Hosts in a Linux Environment
The following splunk query example will return a list of hosts by hostname in a given time range. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” […]
Top 10 most active Users in Linux
The following splunk query example will return the top 10 most active users in a given time range sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | top limit=10 User
