Hi,
How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentication Data Model.
sshd[31604]: [ID 800047 auth.notice] Failed none for bla from 10.x.x.x. port 63604 ssh2
I basically want to exclude anything where the phrase 'Failed none' is seen in the raw event.
The following content from the props, in conjunction with the lookup listed below, is mapping the event as action=failed.
[syslog]
...
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
...
From the lookup file:
vendor_action action
...
failed failure
...
I can hash out the line above in the lookup file, but this would then also drop genuine failed logins which I still want to capture.
Any help appreciated.
You can change search string of eventtype
string to exclude the keyword 'Failed none'.
The list of event types can be referred from 'Settings->Event Types' in GUI.
Pls review the default/eventtypes.conf and tags.conf to understand current mapping between events/eventtypes and 'authentication' tag. You can then create a new eventtypes or adjust existing ones to exlcude your event(s) getting 'failed logon' eventtype and auth tags. [ and/or by using your specific sourcetypes in the exclusion]
Ah, you mean 'read the documentation' - If only I'd thought of that...