All Apps and Add-ons

How can I make the Splunk App for PCI Compliance count "last message repeated 2 times" on su authentication failure in /var/log/secure?

hylam
Contributor

/var/log/secure

Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost=  user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times

I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search

host=ecc2 `authentication(failure)`

The "authentication(failure)" should be a macro surrounded by backticks.

The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.

woodcock
Esteemed Legend

How about like this:

... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe

This will cause every event to have a field myCount that is correct.

0 Karma

hylam
Contributor
0 Karma

srinathd
Contributor

Extract "authentication failure" into some field say "suFailure" then use transaction command like this

transaction suFailure maxspan=1800s | where eventcount >=5

0 Karma

hylam
Contributor

last message repeated 2 times <-- how can transaction event count work on this?

0 Karma

srinathd
Contributor

By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.

0 Karma

hylam
Contributor

when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...