Search Striing:
index=xxx-xx* (Failed_su OR "invalid user" OR "illegal user" NOT "Element Check" NOT input_* NOT Postponed NOT keyboard-interactive) NOT [|inputlookup linuxlookupname] | table _time, host, src_ip, user, vendor_action, linux_message | sort -_time
Here is a sample output (sorry about the terrible format)
_time host src_ip user vendor_action linux_message
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX vagrant Invalid user Invalid user vagrant from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX admin Invalid user Invalid user admin from 10.193.XXX.XXX
Tue May 10.193.XXX.XXX pi Invalid user Invalid user pi from 10.193.XXX.XXX
The csv lookup table has the one feild (src_ip) and I have edited it on the server manually and removed/readded the IP in question but it still continues to show up
Thanks !
... View more