First post so: hi all!
I need some help to set up an alert if a user logs in on one of our systems without an active VPN. To do this I want to correlate some events from the VPN device:
VPN connect:
{"syslog_program":"%ASA-4-722051","type":"syslog","syslog_severity":"warning","received_by":"redis","received_from":"hostname","time_lag":1289,"@version":"1","host":"vpn-005","syslog_pri":"164","syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"message":"<164>2018-10-01T03:07:11+02:00 vpn-005.bolcom.net %ASA-4-722051: Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","tags":["grok","pri","asnum","geoip","date","mutate_msg","mutate_host","cleanup"],"logline_size":178,"@message":"Group <from-home> User <user> IP <1.2.3.4> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session","@timestamp":"2018-10-01T01:07:11.000Z","processed_by":"hostname","vpn":{"internal_ip":"1.2.3.4","as":{"name":"<redacted>","num":"<redacted>"},"geoip":{"country_name":"<redacted>","country_code":"XX","region_name":"Provincie XX","city_name":"XX","location":["XX","XX"]},"user":"user","group":"from-home","ip":"1.2.3.4"},"received_at":"2018-10-01T01:07:12.264Z"}
VPN disconnect:
{"syslog_severity_code":4,"syslog_facility":"local4","syslog_facility_code":20,"syslog_program":"%ASA-4-722037","message":"<164>2018-10-01T23:51:11+02:00 host.fqdn.tld %ASA-4-722037: Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","type":"syslog","syslog_severity":"warning","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":157,"@message":"Group <from-home> User <user> IP <1.2.3.4> SVC closing connection: Transport closing.","received_by":"redis","received_from":"shd-logredis-adm-002","time_lag":726,"@timestamp":"2018-10-01T21:51:11.000Z","processed_by":"shd-logstash-app-007_adm2","received_at":"2018-10-01T21:51:11.703Z","@version":"1","host":"vpn-007","syslog_pri":"164"}
And I want to correlate this to SSH logins:
{"syslog_pid":"20917","syslog_severity_code":6,"syslog_facility":"security/authorization","syslog_facility_code":10,"syslog_program":"sshd","message":"<86>2018-10-01T06:47:39.171948+02:00 hostname sshd[20917]: Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","type":"syslog","syslog_severity":"informational","tags":["grok","pri","date","mutate_msg","mutate_host","cleanup"],"logline_size":139,"@message":"Accepted gssapi-with-mic for user from 1.2.3.4 port 51872 ssh2","received_by":"redis","received_from":"hostname","time_lag":151,"@timestamp":"2018-10-01T04:47:39.171Z","processed_by":"shd-logstash-app-009_adm2","received_at":"2018-10-01T04:47:39.290Z","@version":"1","host":"hostname","syslog_pri":"86"}
I extract the username from the SSH login events using a regex as ssh_user. What I have so far is a search that should create transactions for the VPN logs and coalesce both user fields:
syslog_program="sshd" OR syslog_program="%asa-4*" | eval user = coalesce(ssh_user, user) | transaction user
This is where I'm stuck. Is this creating a proper transaction for Splunk to work with and how do I create an alert for users without active VPN from here.
I decided to stop using transactions for a while and see if I could get anything that works... sorta. So this is what I have now:
syslog_program="sshd" NOT [search syslog_program="%asa-4*" | fields vpn.user | rename vpn.user AS ssh_user]
And this correctly shows users logging in to SSH without events on VPN. \o/
Problem is that this does not take into account if the event was a connect or disconnect event.