Solved: Splunk App for Unix and Linux: How to search for d...

tmarlette · ‎02-18-2015

I have deployed the UNIX app successfully to my environment, and the app is working well, however I don't see anything that would tell me about 'account lockouts'. I wanted to ask a couple of questions to the community to see if i'm missing something.

Question 1: Am i overlooking something within the UNIX app that I just just click on to see when a Unix account is locked out? a search that is already formulated?

Question 2: in trying to build my own 'account lockout' query, and I can see a series of events if I search for:

index=my_index bad password

the no quotes are deliberate, and all linux data goes to the same index. I can't however see in the event message where it say's 'bad password'.

I've also tried to search the

index=my_index sourcetype="Unix:UserAccounts"

for an instance, however I can't see anything there either. I assume it's my ignorance, so I figured I would ask and see if someone has already done this?

tmarlette · ‎03-13-2015

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

View solution in original post

tmarlette · ‎03-13-2015

I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.

Splunk App for Unix and Linux: How to search for data on account lockouts?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases