linux audit Archives -

Repeated Unsuccessful Logon Attempts in Linux

The following Splunk search query will return results for failed login attempts in a Linux environment for a specified time range. The regular expressions are defined within the search string, however if you already extracted the necessary fields you can ignore the regex section.

sourcetype=linux_secure | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "gdm\S+\sauthentication\s(?<status>\w+)" | rex "\suser[^'](?<User>\S+\w+)" | search status=failure| stats count as fails by Date, User, hostname | eval "Alert Level"=case(fails>=50, "Critical", fails<50 AND fails>=20, "Warning", fails<20, "Normal") | sort - fails| rename fails as "Failed Logon Attempts" | rename User as "Account in Question"

sourcetype=linux_secure | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "gdm\S+\sauthentication\s(?<status>\w+)" | rex "\suser[^'](?<User>\S+\w+)" | search status=failure| stats count as fails by Date, User, hostname | eval "Alert Level"=case(fails>=50, "Critical", fails<50 AND fails>=20, "Warning", fails<20, "Normal") | sort - fails| rename fails as "Failed Logon Attempts" | rename User as "Account in Question"

Continue Reading →

Linux Cron Job Information

This splunk query example uses regex (regular expressions) to extract information on Linux cron jobs. *Note* this query has not been extensively tested

sourcetype="cron" | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "]:\sfinished(?<Info>.*)"  | stats count by Date, hostname, Info

1	sourcetype="cron" \| eval Date=strftime(_time, "%Y/%m/%d") \| rex ".:\d{2}\s(?<hostname>\S+)" \| rex "]:\sfinished(?<Info>.)" \| stats count by Date, hostname, Info

Continue Reading →

Escalation of Privileges via SU in Linux

The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below. *NOTE* if the host field is being autoextracted (for instance […]

Continue Reading →

Number of Hosts the Root Account was Detected on

The following splunk query example will return the total number of hosts the Root account was detected on in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname […]

Continue Reading →

Top 10 Most Active Hosts in a Linux Environment

The following splunk query example will return the top 10 most active hosts in a given time range. Active in this instance is determined simply the number of log entries. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and […]

Continue Reading →

Count of Unique Hosts in Linux

The following splunk query example will return a unique count of hosts in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | stats dc(hostname)

1	sourcetype=linux_secure \|rex ".*:\d{2}\s(?<hostname>\S+)" \| stats dc(hostname)

Continue Reading →

Top 10 most active Users in Linux

The following splunk query example will return the top 10 most active users in a given time range

sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | top limit=10 User

1	sourcetype=linux_secure \| rex "\suser[^'](?<User>\S+\w+)" \| top limit=10 User

Continue Reading →

Tag: linux audit