Skip to main content
Splunk Lantern

Successful logins to a *nix server

You might want to see all successful logins to a *nix server when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Gaining access to a production system opens the door for users to make undesirable changes, which can subsequently lead to an incident or outage. You want the ability to see who's logged into a system just prior to an incident so you can quickly identify the root cause or determine who to consult for further investigation.

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
tag=authentication action=success tag=remote host=*
|table _time host user src app

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=authentication 

Look for events that are tagged "authentication." The tag is supplied by Splunk Add-on listed above. 

action=success 

Return successful authentications.

tag=remote 

Look for events that are tagged "remote."

host=*

Search on any host.

|table _time host user src app

Display the results in a table with columns in the order shown.

Result

The table below shows sample results for the search. This is a report of all successful authentications on the listed host, initiated by a specific user, from the source host, and the app being authenticated to.  

_time host user src app

2020-09-28T21:25:09.000+0000

10.2.3.35

jerryl

10.147.9.44

sshd

2020-09-28T21:24:46.000+0000

10.2.2.2

scottj

10.147.9.55

sshd

2020-09-28T21:24:27.000+0000

10.2.5.2

root

71.239.187.4

sshd

2020-09-28T21:18:10.000+0000

10.2.7.1

jack.bauer

24.15.129.15

sshd

The data in this example is usually found in the Linux auth.log and is given the sourcetype of linux_secure by the Splunk Add-on. Below are some sample full events. 

Oct 23 19:43:12 acmepayroll sshd[29253]: Accepted password for root from 10.11.36.11 port 2958 ssh2

Oct 23 19:39:30 HOST0170 sshd[25089]: [ID 800047 auth.info] Accepted publickey for naughtyuser from 10.11.36.49 port 50241 ssh2

Oct 23 19:36:55 HOST0170 sshd[25089]: [ID 800047 auth.info] Accepted publickey for naughtyuser from 10.11.36.5 port 50241 ssh2

Interesting fields that are extracted by the add-on include dest (destination), pid (process id), process (process name), src_port (port of the authentication process), sshd_protocol, and user.  These fields can be used to analyze other authentication related metrics, such as users logged in at the same time from multiple remote locations. 

 

  • Was this article helpful?