The dojo of Splunk. Learn, share, teach, mentor.
StatsWow - simple things you can do with "stats" - security scenario
I had someone propose this to me the other day:
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
Videos
Latest Splunk Community Postings
© 2010 Created by Michael Wilde.
Powered by 
.
