Solved: Alert on a user attempting to connect from one box...

AaronMoorcroft · ‎08-17-2016

Hi Guys,

Whats the best way if at all to alert on a specific user trying to connect from a specific system to another specific system ? any help would be greatly appreciated, if it matters the systems will be Unix systems not Windows

lguinn2 · ‎08-17-2016

If you mean "how can I identify an ssh login attempt between 2 Linux boxes that uses a specific user name," that's pretty simple.
First, on the target system, make sure you are collecting /var/log/secure.log and sending it to Splunk with a sourcetype of linux_secure Then, your Splunk search will be:

sourcetype=linux_secure host="target system name" src_ip="ip address of first system" user="user name"

That gives you a starting point, at least. secure.log is the ssh log and it is normally found in /var/log

View solution in original post

lguinn2 · ‎08-17-2016

If you mean "how can I identify an ssh login attempt between 2 Linux boxes that uses a specific user name," that's pretty simple.
First, on the target system, make sure you are collecting /var/log/secure.log and sending it to Splunk with a sourcetype of linux_secure Then, your Splunk search will be:

sourcetype=linux_secure host="target system name" src_ip="ip address of first system" user="user name"

That gives you a starting point, at least. secure.log is the ssh log and it is normally found in /var/log

AaronMoorcroft · ‎08-18-2016

Thank you that's a great help

Alert on a user attempting to connect from one box to another

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!