Can you help me understand why my /var/log/secure ...

daniel333 · ‎04-10-2018

All,

I have a clean install of Splunk ES with the latest Splunk App For Nix enabled. The Account Management dashboard is not populating in a useful.

I have this log event which is my test -
Apr 10 19:44:10 myhost useradd[5965]: new user: name=mysql, UID=997, GID=994, home=/var/lib/mysql, shell=/bin/bash

SHOULD pull field extraction from this out of the box transform stanza -

[useradd]
REGEX = .*?((new) (user|group|account))(?:: | (?:added) - )(?:name|account)=(\w+),
FORMAT = vendor_action::$1 object_category::$3 name::$4 user::$4

I confirmed you stanza SHOULD work in regex101.com

Can you help me understand why this isn't working as I expect? I believe users added, removed, groups added, removed should appear here by who executed the command.

p_gurav · ‎04-10-2018

Can you also verify the sourcetype name in both application and in normal search? Also try running dashboard search manually and check which parameter is not match.

FrankVl · ‎04-11-2018

Also: the account management dashboard probably relies on the Change Analysis data model. So you may want to check if that is being populated correctly.

daniel333 · ‎04-11-2018

Ended up finding the default lookup tables were missing entries for my OS. Aftermanually adding them I was set. Send in the missing elements to support to maybe they'll make their way into the next release.

Can you help me understand why my /var/log/secure useradd field extractions are not working as expected?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?