Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AWS Failed logins and coalesce command

samadmemon
Explorer
‎04-15-2019 09:19 AM

Hi All,

On tracking the failed logins for AWS console through Cloudtrail logs, errorCode for specific set of logs is not captured correctly.

CORRECT PARSING :

awsRegion: us-east-1

errorMessage: Failed authentication

eventID:

eventName: ConsoleLogin

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion:

In the above log errorCode field is 'failure' which is true.

INCORRECT PARSING :

However, for the below log errorCode field is 'success'. Correct output should be errorCode=failure since it is a failed login whose user name is unknown.

awsRegion: us-east-1

errorMessage: No username found in supplied account

eventID:

eventName: CheckMfa

eventSource: signin.amazonaws.com

eventTime:

eventType: AwsConsoleSignIn

eventVersion: 1.05

PROPS.CONF :

Below is the entry for errorCode in props.conf

EVAL-errorCode = coalesce('errorCode',if(like('responseElements.ConsoleLogin',"Failure"),"failure", "success"),"success").

QUESTION :

Please suggest the way how we can achieve the following :

if errorMessage=No username found in supplied account OR errorMessage=Failed authentication then errorCode should be 'failure' else it should be a success.

what should be the entry in props.conf for EVAL-errorCode so that it can be overwritten in local folder.

Tags (1)
Reply

rmmiller
Contributor
‎11-19-2019 08:36 AM

coalesce is for dealing with null values when you have to deal with them. Also, like is for SQL-like comparisons, which you aren't really doing here.

CloudTrail inputs can be a little tricky. Are you sure they are being ingested correctly?

0 Karma
Reply

vcarbona
Path Finder
‎11-14-2019 08:32 AM

I'm thinking this field should not be overwritten rather a new field should be created indicating the status whether it is success or failure. Not sure if doing so will break anything else.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...