I found this search from [woodcock][1] user and it basically searches for successful logins after several failed attempts:
index=* sourcetype=linux_secure tag=authentication action="failure" OR action="success"
| reverse
| streamstats sum(eval(match(action,"failure"))) AS action_count reset_after="("match(action,\"success\")")" BY user
| reverse
| where match(action,"success") AND action_count>=3
(in this case the query searches for 3 failed logins followed by one successful login)
The **action_ count** counts all the failed attempts, and this works quite good.
For example if root has failed logins after 5 attempts it counts this as 5 and when one successful attempts occurs , it just resets the count and starts with one with the next failed login.
However this only works if you search for a particular user (in this case " user=root"),
but if you run the query it will still count the failed logins per user, but after a reset of one user, it also resets the count for all users,
so would it be possible to reset the count per user base instead of all users?
[1]: https://answers.splunk.com/users/1493/woodcock.html?utm_source=answers&utm_medium=email&utm_term=woodcock&utm_content=&utm_campaign=mention
↧