Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
StatsWow - simple things you can do with "stats" - security scenario
I had someone propose this to me the other day:
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
Views: 3
© 2012 Created by Michael Wilde.
