Hi Guys,
Whats the best way if at all to alert on a specific user trying to connect from a specific system to another specific system ? any help would be greatly appreciated, if it matters the systems will be Unix systems not Windows
If you mean "how can I identify an ssh login attempt between 2 Linux boxes that uses a specific user name," that's pretty simple.
First, on the target system, make sure you are collecting /var/log/secure.log
and sending it to Splunk with a sourcetype of linux_secure
Then, your Splunk search will be:
sourcetype=linux_secure host="target system name" src_ip="ip address of first system" user="user name"
That gives you a starting point, at least. secure.log
is the ssh log and it is normally found in /var/log
If you mean "how can I identify an ssh login attempt between 2 Linux boxes that uses a specific user name," that's pretty simple.
First, on the target system, make sure you are collecting /var/log/secure.log
and sending it to Splunk with a sourcetype of linux_secure
Then, your Splunk search will be:
sourcetype=linux_secure host="target system name" src_ip="ip address of first system" user="user name"
That gives you a starting point, at least. secure.log
is the ssh log and it is normally found in /var/log
Thank you that's a great help