Auditd hosts in all environments

• Dashboards
• manderso
• 5 Comments
• 6 0

Shows the login activity to our linux environments, sudo commands per host and users. Admin Notes: index=main was changed to index=* due to not everyone using the same index. This dashboard has been tested for code errors, but not for search errors. Please comment if you have any issues!  

<form> <label>Audit All Hosts</label> <fieldset submitButton="false"> <input type="time" token="field1"> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field2" searchWhenChanged="true"> <label>Environment</label> <choice value="*">All</choice> <choice value="*dev*">DEV</choice> <choice value="*prd*">PROD</choice> <choice value="*int*">INTG</choice> <choice value="*tst*">TEST</choice> <choice value="*inf*">INF</choice> <choice value="*qa*">QA</choice> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <title>Audit Auth Logs By GeoIp</title> <map> <title>(ssh originating locations, not updated with Environment dropdown)</title> <search> <query>index=* "ssh" "audit.res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="mapping.choroplethLayer.colorBins">5</option> <option name="mapping.choroplethLayer.colorMode">auto</option> <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option> <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option> <option name="mapping.choroplethLayer.neutralPoint">0</option> <option name="mapping.choroplethLayer.shapeOpacity">0.75</option> <option name="mapping.choroplethLayer.showBorder">1</option> <option name="mapping.data.maxClusters">100</option> <option name="mapping.legend.placement">bottomright</option> <option name="mapping.map.center">(38.41,-108.41)</option> <option name="mapping.map.panning">1</option> <option name="mapping.map.scrollZoom">0</option> <option name="mapping.map.zoom">4</option> <option name="mapping.markerLayer.markerMaxSize">50</option> <option name="mapping.markerLayer.markerMinSize">10</option> <option name="mapping.markerLayer.markerOpacity">0.8</option> <option name="mapping.showTiles">1</option> <option name="mapping.tileLayer.maxZoom">7</option> <option name="mapping.tileLayer.minZoom">0</option> <option name="mapping.tileLayer.tileOpacity">1</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </map> </panel> <panel> <title>Failed Auth by Host</title> <chart> <search> <query>index=* "failed" extracted_source="/var/log/audit/audit.log" "audit.type"=USER_LOGIN hostname=$field2$ | bin size bins=30 |timechart count by hostname</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">bottom</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <title>Top Sudoers</title> <table> <search> <query>index=* extracted_source="/var/log/secure" sudoer!=nrpe hostname=$field2$| stats count by sudoer command | sort - count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel> <title>Sudoers</title> <viz type="simple_xml_examples.tagcloud"> <search> <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$ | stats count by sudoer</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="simple_xml_examples.tagcloud.labelField">sudoer</option> <option name="simple_xml_examples.tagcloud.maxFontSize">36</option> <option name="simple_xml_examples.tagcloud.minFontSize">8</option> <option name="simple_xml_examples.tagcloud.valueField">count</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </viz> </panel> <panel> <title>Auditd Top Accounts</title> <viz type="simple_xml_examples.tagcloud"> <search> <query>index=* "su" audit.log.acct=* extracted_source="/var/log/audit/audit.log" hostname=$field2$ | top audit.log.acct</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="simple_xml_examples.tagcloud.labelField">audit.log.acct</option> <option name="simple_xml_examples.tagcloud.maxFontSize">48</option> <option name="simple_xml_examples.tagcloud.minFontSize">12</option> <option name="simple_xml_examples.tagcloud.valueField">count</option> </viz> </panel> </row> <row> <panel> <title>Sudo count by User By Command By Host</title> <table> <search> <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$| stats count by sudoer command hostname</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

<form>   <label>Audit All Hosts</label>   <fieldset submitButton="false">     <input type="time" token="field1">       <default>         <earliest>-24h@h</earliest>         <latest>now</latest>       </default>     </input>     <input type="dropdown" token="field2" searchWhenChanged="true">       <label>Environment</label>       <choice value="*">All</choice>       <choice value="*dev*">DEV</choice>       <choice value="*prd*">PROD</choice>       <choice value="*int*">INTG</choice>       <choice value="*tst*">TEST</choice>       <choice value="*inf*">INF</choice>       <choice value="*qa*">QA</choice>       <fieldForLabel>env</fieldForLabel>       <fieldForValue>env</fieldForValue>       <default>*</default>       <initialValue>*</initialValue>     </input>   </fieldset>   <row>     <panel>       <title>Audit Auth Logs By GeoIp</title>       <map>         <title>(ssh originating locations, not updated with Environment dropdown)</title>         <search>           <query>index=* "ssh" "audit.res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="drilldown">none</option>         <option name="mapping.choroplethLayer.colorBins">5</option>         <option name="mapping.choroplethLayer.colorMode">auto</option>         <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option>         <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option>         <option name="mapping.choroplethLayer.neutralPoint">0</option>         <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>         <option name="mapping.choroplethLayer.showBorder">1</option>         <option name="mapping.data.maxClusters">100</option>         <option name="mapping.legend.placement">bottomright</option>         <option name="mapping.map.center">(38.41,-108.41)</option>         <option name="mapping.map.panning">1</option>         <option name="mapping.map.scrollZoom">0</option>         <option name="mapping.map.zoom">4</option>         <option name="mapping.markerLayer.markerMaxSize">50</option>         <option name="mapping.markerLayer.markerMinSize">10</option>         <option name="mapping.markerLayer.markerOpacity">0.8</option>         <option name="mapping.showTiles">1</option>         <option name="mapping.tileLayer.maxZoom">7</option>         <option name="mapping.tileLayer.minZoom">0</option>         <option name="mapping.tileLayer.tileOpacity">1</option>         <option name="mapping.type">marker</option>         <option name="refresh.display">progressbar</option>         <option name="trellis.enabled">0</option>         <option name="trellis.scales.shared">1</option>         <option name="trellis.size">medium</option>       </map>     </panel>     <panel>       <title>Failed Auth by Host</title>       <chart>         <search>           <query>index=* "failed" extracted_source="/var/log/audit/audit.log" "audit.type"=USER_LOGIN hostname=$field2$ | bin size bins=30 |timechart count by hostname</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>         <option name="charting.axisTitleX.visibility">visible</option>         <option name="charting.axisTitleY.visibility">visible</option>         <option name="charting.axisTitleY2.visibility">visible</option>         <option name="charting.axisX.abbreviation">none</option>         <option name="charting.axisX.scale">linear</option>         <option name="charting.axisY.abbreviation">none</option>         <option name="charting.axisY.scale">linear</option>         <option name="charting.axisY2.abbreviation">none</option>         <option name="charting.axisY2.enabled">0</option>         <option name="charting.axisY2.scale">inherit</option>         <option name="charting.chart">line</option>         <option name="charting.chart.bubbleMaximumSize">50</option>         <option name="charting.chart.bubbleMinimumSize">10</option>         <option name="charting.chart.bubbleSizeBy">area</option>         <option name="charting.chart.nullValueMode">gaps</option>         <option name="charting.chart.showDataLabels">minmax</option>         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>         <option name="charting.chart.stackMode">default</option>         <option name="charting.chart.style">shiny</option>         <option name="charting.drilldown">none</option>         <option name="charting.layout.splitSeries">0</option>         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>         <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>         <option name="charting.legend.mode">standard</option>         <option name="charting.legend.placement">bottom</option>         <option name="charting.lineWidth">2</option>         <option name="refresh.display">progressbar</option>         <option name="trellis.enabled">0</option>         <option name="trellis.scales.shared">1</option>         <option name="trellis.size">medium</option>       </chart>     </panel>   </row>   <row>     <panel>       <title>Top Sudoers</title>       <table>         <search>           <query>index=* extracted_source="/var/log/secure" sudoer!=nrpe hostname=$field2$| stats count by sudoer command | sort - count</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="count">10</option>         <option name="dataOverlayMode">none</option>         <option name="drilldown">none</option>         <option name="percentagesRow">false</option>         <option name="refresh.display">progressbar</option>         <option name="rowNumbers">false</option>         <option name="totalsRow">false</option>         <option name="wrap">true</option>       </table>     </panel>     <panel>       <title>Sudoers</title>       <viz type="simple_xml_examples.tagcloud">         <search>           <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$ | stats count by sudoer</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="drilldown">none</option>         <option name="refresh.display">progressbar</option>         <option name="simple_xml_examples.tagcloud.labelField">sudoer</option>         <option name="simple_xml_examples.tagcloud.maxFontSize">36</option>         <option name="simple_xml_examples.tagcloud.minFontSize">8</option>         <option name="simple_xml_examples.tagcloud.valueField">count</option>         <option name="trellis.enabled">0</option>         <option name="trellis.scales.shared">1</option>         <option name="trellis.size">medium</option>       </viz>     </panel>     <panel>       <title>Auditd Top Accounts</title>       <viz type="simple_xml_examples.tagcloud">         <search>           <query>index=* "su" audit.log.acct=* extracted_source="/var/log/audit/audit.log" hostname=$field2$ | top audit.log.acct</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>         </search>         <option name="drilldown">none</option>         <option name="refresh.display">progressbar</option>         <option name="simple_xml_examples.tagcloud.labelField">audit.log.acct</option>         <option name="simple_xml_examples.tagcloud.maxFontSize">48</option>         <option name="simple_xml_examples.tagcloud.minFontSize">12</option>         <option name="simple_xml_examples.tagcloud.valueField">count</option>       </viz>     </panel>   </row>   <row>     <panel>       <title>Sudo count by User By Command By Host</title>       <table>         <search>           <query>index=* "su" extracted_source="/var/log/secure" hostname=$field2$| stats count by sudoer command hostname</query>           <earliest>$field1.earliest$</earliest>           <latest>$field1.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="count">10</option>         <option name="dataOverlayMode">none</option>         <option name="drilldown">none</option>         <option name="percentagesRow">false</option>         <option name="refresh.display">progressbar</option>         <option name="rowNumbers">false</option>         <option name="totalsRow">false</option>         <option name="wrap">true</option>       </table>     </panel>   </row> </form>

 

Continue Reading →

Repeated Unsuccessful Logon Attempts in Linux

• linux_secure
• SplunkNinja
• 1 Comment
• 2 1

The following Splunk search query will return results for failed login attempts in a Linux environment for a specified time range. The regular expressions are defined within the search string, however if you already extracted the necessary fields you can ignore the regex section.  

sourcetype=linux_secure | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "gdm\S+\sauthentication\s(?<status>\w+)" | rex "\suser[^'](?<User>\S+\w+)" | search status=failure| stats count as fails by Date, User, hostname | eval "Alert Level"=case(fails>=50, "Critical", fails<50 AND fails>=20, "Warning", fails<20, "Normal") | sort - fails| rename fails as "Failed Logon Attempts" | rename User as "Account in Question"

1

sourcetype=linux_secure | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "gdm\S+\sauthentication\s(?<status>\w+)" | rex "\suser[^'](?<User>\S+\w+)" | search status=failure| stats count as fails by Date, User, hostname | eval "Alert Level"=case(fails>=50, "Critical", fails<50 AND fails>=20, "Warning", fails<20, "Normal") | sort - fails| rename fails as "Failed Logon Attempts" | rename User as "Account in Question"

Continue Reading →

Linux Cron Job Information

• Cron
• SplunkNinja
• 5 0

This splunk query example uses regex (regular expressions) to extract information on Linux cron jobs. *Note* this query has not been extensively tested

sourcetype="cron" | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "]:\sfinished(?<Info>.*)"  | stats count by Date, hostname, Info

1	sourcetype="cron" | eval Date=strftime(_time, "%Y/%m/%d") | rex ".*:\d{2}\s(?<hostname>\S+)" | rex "]:\sfinished(?<Info>.*)"  | stats count by Date, hostname, Info

Continue Reading →

Escalation of Privileges via SU in Linux

• linux_secure
• SplunkNinja
• 5 0

The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below. *NOTE* if the host field is being autoextracted (for instance […]

Continue Reading →

Number of Hosts the Root Account was Detected on

• linux_secure
• SplunkNinja
• 2 0

The following splunk query example will return the total number of hosts the Root account was detected on  in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname […]

Continue Reading →

Top 10 Most Active Hosts in a Linux Environment

• linux_secure
• SplunkNinja
• 1 0

The following splunk query example will return the top 10 most active hosts in a given time range. Active in this instance is determined simply the number of log entries. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and […]

Continue Reading →

Count of Unique Hosts in Linux

• linux_secure
• SplunkNinja
• 2 0

The following splunk query example will return a unique count of hosts in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | stats dc(hostname)

1	sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | stats dc(hostname)

Continue Reading →

List of Hosts in a Linux Environment

• linux_secure
• SplunkNinja
• 2 0

The following splunk query example will return a list of hosts by hostname in a given time range. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | stats count by hostname

1	sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | stats count by hostname

Continue Reading →

Top 10 most active Users in Linux

• linux_secure
• SplunkNinja
• 3 0

The following splunk query example will return the top 10 most active users in a given time range  

sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | top limit=10 User

1	sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | top limit=10 User

Continue Reading →