Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How would I exclude events that normally occur after a restart of a server?

jmaple
Communicator
‎07-27-2016 07:55 AM

On our Linux servers, we see that audit policies are re-applied to the audit service whenever the service is restarted. I'm trying to find a way to only generate events if a restart of the server has not occurred within a given period of time (likely 10-15) minutes. How would I configure my search to search for audit change events that are not within 15 minutes of a server restart?

Search for finding a change in audit settings:

index=os* key="MAC-policy" type=CONFIG_CHANGE

Search for finding server restarts:

index=os* type=SYSTEM_SHUTDOWN
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 12:14 PM

Let's try a different approach

index=os ("SYSTEM_SHUTDOWN" OR "CONFIG_CHANGE") | rex "(?<action>SYSTEM_SHUTDOWN|CONFIG_CHANGE)" |  autogress action as next_action | where action=next_action

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 12:14 PM

Let's try a different approach

index=os ("SYSTEM_SHUTDOWN" OR "CONFIG_CHANGE") | rex "(?<action>SYSTEM_SHUTDOWN|CONFIG_CHANGE)" |  autogress action as next_action | where action=next_action
Reply
Solved! Jump to solution

jmaple
Communicator
‎07-27-2016 12:28 PM

That does the trick.

So I understand it, are you skipping the first CONFIG_CHANGE event that occurs after a SYSTEM_SHUTDOWN event?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 12:31 PM

That's Correct

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎07-27-2016 12:32 PM

That works for me. Thanks.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 08:19 AM

See if this works. What this should do, is group all events that start with Shutdown and have a CONFIG_CHANGE within 15min timespan. All other events will not be grouped. closed_txn=f, returns ungrouped events. You may have to experiment with keepevicted vs keeporphans

index=os | transaction maxspan=16m startswith="SYSTEM_SHUTDOWN" endswith="CONFIG_CHANGE" keepevicted=t | where closed_txn=0

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎07-27-2016 09:34 AM

Wouldn't marking all transactions as open mean that the "CONFIG_CHANGE" wasn't taking place? 100% of the time it will take place after a reboot so I need to be able to see this event if the "SYSTEM_SHUTDOWN" doesn't occur.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 10:02 AM

This doesn't mark all transaction as open. It will mark transactions as open if it DOES NOT meet any of these criteris

1) Find SYSTEM_SHUTDOWN
2) Find CONFIG_CHANGE within 15mins of SYSTEM_SHUTDOWN

Once it groups the transactions, (SYSTEM_SHUTDOWN & CONFIG_CHANGE within 15min span) remaining events will be marked as "open" transactions. The where clause will keep only the open transactions.

To make this cleaner, you could add ("SYSTEM_SHUTDOWN" OR "CONFIG_CHANGE") to your base search to minimize the events returned.

Were you able to try the query? What results did you get?

Reply
Solved! Jump to solution

jmaple
Communicator
‎07-27-2016 10:19 AM

The results showed transactions but the ones I saw didn't start with "SYSTEM_SHUTDOWN" so I flipped the keepevicted value to false and the events that were generated are not showing now but I need to do an effective test by rebooting my test machine then adding an audit rule.

Update: Looks like that did not produce an event when I added an audit rule. Here is what happened:

First I kept the "keepevicted=t". This produced events but the events produced are within the span of time. If the idea was to produce events outside the span of time, this did not work.

Next I changed it to "keepevicted=f". This produced no events so I changed to span down to 1s to force a result and still no result so this did not work.

Next I changed it from "keepevicted=f" to "keeporphans=t". This produced no results so it did not work.

Next I changed it to "keeporphans=f". This produced no results so it did not work.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 11:01 AM

My understanding is you DO NOT want CONFIG_CHANGE" right after a "SYSTEM_SHUTDOWN". If that's true, you should set keepevicted=t. You want all events that are NOT grouped in a transaction. To verify the findings, do a table _time _raw closed_txn and compare the events where closed_txn=0 and closed_txn=1. The one's with 1 should have "SYSTEM_SHUTDOWN" AND/OR "CONFIG_CHANGE" where as the the other should only have "CONFIG_CHANGE"

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎07-27-2016 12:09 PM

I want to see the "CONFIG_CHANGE" event ONLY if the "SYSTEM_SHUTDOWN" event hasn't occurred in the last 15m. That would be the only time the "CONFIG_CHANGE" event would be relevant to our security team.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...