/var/log/secure
Jun 29 11:47:58 ecc2 su: pam_unix(su-l:auth): authentication failure; logname=root uid=11130 euid=0 tty=pts/1 ruser=delta rthost= user=root
Jun 29 11:48:38 ecc2 last message repeated 2 times
I would like a notable event to be generated after su failed 5 times in 30 min. I have ran the following search
host=ecc2 `authentication(failure)`
The "authentication(failure)" should be a macro surrounded by backticks.
The search gives the "authentication failure" line w/o the repetition count? How can I get Splunk to count it? How can I disable the repetition count in syslog? Thx.
How about like this:
... | rex "Last\s+message\s+repeated\s+(?<repeatsNoContext>\d+)\s+times." | fillnull value=0 repeatsNoContext | autoregress repeatsNoContext AS repeatsForMe | eval myCount= 1 + repeatsForMe
This will cause every event to have a field myCount
that is correct.
plz see my comment to the question here
https://answers.splunk.com/answers/334215/how-do-i-deal-with-linux-authlog-last-message-repe.html
Extract "authentication failure" into some field say "suFailure" then use transaction command like this
transaction suFailure maxspan=1800s | where eventcount >=5
last message repeated 2 times <-- how can transaction event count work on this?
By this "transaction suFailure maxspan=1800s | where eventcount >=5" you will get the notable event count which is greater than 5. If the event always have this "last message repeated" then extract this as a field and can use it in the transaction command. Try it.
when splunk transaction eventcount=2, repeat count in /var/log/secure can be 2 or above. how can i count 5+ login failure attempts?