This query will show a timechart of the status of an Locked Out Account
|
1 |
sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count |
Nr. of unique visitors per hour timechart
|
1 |
host=insertHostnameHere sourcetype=access_combined | timechart span=1h dc(sourceIP) |
If you have Fieldextraction for the visitor IP’s, in this example named ‘sourceIP’, this simple query will list the number of unique visitors per hour
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):
|
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username) |
The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):
|
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username) |
