Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate a search to find the wrong user login attempts?

kteng2024
Path Finder
‎05-10-2017 03:40 PM

I have user "abc" in the log and "password invalid" in log . I want to find out how many times this user entered the wrong password and i want to know whether he reset the password or not (because in the logs i could see "resetting" for this user).

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-11-2017 10:13 PM

Like this (plus what @DalJeanis said):

index=foo "password invalid" OR "password reset"
| streamstats count(eval(searchmatch("password reset")) AS sessionID by user
| stats count AS bad_password_attempts range(_time) AS seconds_between_first_attempt_and_reset BY user sessionID
| eval bad_password_attempts = bad_password_attempts  - 1
0 Karma
Reply

DalJeanis
Legend
‎05-10-2017 05:24 PM

Okay, so you need to (1) define what a password invalid login event looks like (2) define what a reset event looks like (3) pull that data and perhaps put it on a timeline. If I were doing it, I'd also pull the correct logins so that I could see the overall pattern.

You are going to have to figure that out for your system, though. Modern windows machines, you'd have event id 4625 for the failed logins, event ID 4624 or 4628 for the successful ones... but if you have a hybrid system with older boxes, it could be EventID 528 or 540 or 552 for logins, and some other three-digit ones for failures. In this case, since you have a target guy, you can just search for his user id, and use that to find what his system is throwing. If your splunk is automatically pulling EventID -- and if it is called that on your system -- either at index or search time, then you may be able to just do something like this... 

 index=foo source=mywindowssourcetype "MyGuysUserID" 
| table _time EventID 
| timechart span=1h count by EventID

... run the thing verbose and then pick the EventIDs that look promising (spiky) out of the timeline.

If you're over on Unix, then it's a whole different set of transactions. Some of the things you might look for are "succeeded" or "Accepted" or "Auth_methods_completed"... but they vary by all kinds of things. And I wouldn't even begin to guess at iOS.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...