Splunk Search

Log correlation for login without active (VPN) session

rgerritse
New Member

First post so: hi all!

I need some help to set up an alert if a user logs in on one of our systems without an active VPN. To do this I want to correlate some events from the VPN device:

VPN connect:
{"syslog_program":"%ASA-4-722051","type":"syslog","syslog_severity":"warning","received_by":"redis","received_from":"hostname","time_lag":1289,"@version":"1","host":"vpn-005","syslog_pri":"164","syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"message":"<164>2018-10-01T03:07:11+02:00 vpn-005.bolcom.net %ASA-4-722051: Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","tags":["grok","pri","asnum","geoip","date","mutate_msg","mutate_host","cleanup"],"logline_size":178,"@message":"Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","@timestamp":"2018-10-01T01:07:11.000Z","processed_by":"hostname","vpn":{"internal_ip":"1.2.3.4","as":{"name":"<redacted>","num":"<redacted>"},"geoip":{"country_name":"<redacted>","country_code":"XX","region_name":"Provincie XX","city_name":"XX","location":["XX","XX"]},"user":"user","group":"from-home","ip":"1.2.3.4"},"received_at":"2018-10-01T01:07:12.264Z"}  
VPN disconnect:
{"syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"syslog_program":"%ASA-4-722037","message":"<164>2018-10-01T23:51:11+02:00 host.fqdn.tld %ASA-4-722037: Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","type":"syslog","syslog_severity":"warning","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":157,"@message":"Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","received_by":"redis","received_from":"shd-logredis-adm-002","time_lag":726,"@timestamp":"2018-10-01T21:51:11.000Z","processed_by":"shd-logstash-app-007_adm2","received_at":"2018-10-01T21:51:11.703Z","@version":"1","host":"vpn-007","syslog_pri":"164"}

And I want to correlate this to SSH logins:

{"syslog_pid":"20917","syslog_severity_code":6,"syslog_facility":"security/authorization","syslog_facility_code":10,"syslog_program":"sshd","message":"<86>2018-10-01T06:47:39.171948+02:00 hostname sshd[20917]: Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","type":"syslog","syslog_severity":"informational","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":139,"@message":"Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","received_by":"redis","received_from":"hostname","time_lag":151,"@timestamp":"2018-10-01T04:47:39.171Z","processed_by":"shd-logstash-app-009_adm2","received_at":"2018-10-01T04:47:39.290Z","@version":"1","host":"hostname","syslog_pri":"86"}

I extract the username from the SSH login events using a regex as ssh_user. What I have so far is a search that should create transactions for the VPN logs and coalesce both user fields:

syslog_program="sshd" OR syslog_program="%asa-4*" | eval user = coalesce(ssh_user, user) | transaction user

This is where I'm stuck. Is this creating a proper transaction for Splunk to work with and how do I create an alert for users without active VPN from here.

0 Karma

rgerritse
New Member

I decided to stop using transactions for a while and see if I could get anything that works... sorta. So this is what I have now:

syslog_program="sshd" NOT [search syslog_program="%asa-4*" | fields vpn.user | rename vpn.user AS ssh_user]

And this correctly shows users logging in to SSH without events on VPN. \o/

Problem is that this does not take into account if the event was a connect or disconnect event.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...