Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search & rex to munge log data for execution of "sudo" commands

rmenr
New Member
‎12-06-2013 03:18 PM

I'm looking to create a custom search for dashboard I'm working on related to security. The idea is to detect the execution or attempted execution of sudo commands, and to be alerted or notified when there are failed attempts.

My goal is to create a search that displays only the relevant and desired pieces of datum, so that it's simple and easy to read so that I can pivot that into a daily/weekly/monthly report.

Of course, we'll add notification via e-mail for sudo failures too.

Now, the trouble is that I wrote this monstrosity of a regex and I also wrote a very SIMPLE search string, and they are both producing the SAME results...so you can imagine how frustrated I am for busting my butt on the regex.

Here are the two searches I've composed:

source="/var/log/auth.log" | search sudo NOT "/usr/sbin/megacli"

VS

source="/var/log/auth.log" | rex "(?[A-Z]\w+\s+\d\s\d{2}:\d{2}:\d{2})\s(?[a-z.]).(?(?<=:)\s+\w+\s*(?=:)).(?(?<=:)[\s\d\w]+(?=;)).(?(?<=COMMAND=).*)" | search sudo NOT "/usr/sbin/megacli"

Why do the search results appear the same?

Tags (4)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-06-2013 04:38 PM

The rex command does not do anything to the results and events except add new extracted fields. It would not transform or change the raw text, or remove stuff. Your search command doesn't care about these new fields, so of course it is just going to do the same whether they exist or not.

BTW, it would also give you the same results (and run faster) with:

source="/var/log/auth.log" sudo NOT "/usr/sbin/megacli"

I'm not sure what you're trying to do, but either you mean to use the regex command, or else your last command should either be something like ... | where command=="blahblah" or ... | search servername="abcdef"?

Or maybe you're looking for the fields or table commands?

Reply

rmenr
New Member
‎12-06-2013 05:08 PM

source="/var/log/auth.log" sudo NOT "/usr/sbin/megacli" command NOT "nessus*" is what I'm working with now, but I do have a question -->

This specific search is not catching failed "sudo su -" attempts which show up in the logs like this:

sudo: pam_krb5(sudo:auth): authentication failure; logname=redacted uid=0 euid=0 tty=/dev/pts/1 ruser=redacted rhost=

How can I get it to catch those as well?

Again, many thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...