I am trying to find the number of successful/failed logins to my machine over time with a distinct count by user. This is the current search so far but I am unable to display a visualization for the below search:
source="/var/log/auth.log"
| search "Failed Password" OR "Accepted Password"
| table time srcHost dstHost user cmd process
| timechart span=1h dc(user) by srcHost
I am currently returning four events but nothing is being displayed under the visualization tab. Any help would be appreciated.
Update 06Feb17:
I did not realize you needed to use the builtin _time field rather than one that I had parsed out of the log and named time. I have updated the query to represent as much:
source="/var/log/auth.log"
| search "Failed Password" OR "Accepted Password"
| eval type=if(searchmatch("Failed password"),"Fail","Success")
| table _time srcHost dstHost user cmd process type
| timechart span=1h count(type) by srcHost
Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color.
The table command should be | table _time date srcHost dstHost user cmd process
(_time). Is that a typo in the question?
Did you ever solve the second piece of your question?
"Additionally, I added the new field type to highlight whether or not the entry is a failed login or a success. The visualization appears however the count(type) does not separate b/w the different values in type by srcHost. In other words within an hour span I want a column for each host with different colors representing success or failure rather than representing them all as one color."
I am trying to figure this out now.
The table command should be | table _time date srcHost dstHost user cmd process
(_time). Is that a typo in the question?
You were correct that was wrong... Working on Visualization now.