Successful logins to a *nix server
Gaining access to a production system opens the door for users to make undesirable changes, which can subsequently lead to an incident or outage. You want the ability to see who logged into a system just prior to an incident so you can quickly identify the root cause or determine who to consult for further investigation.
Data required
Procedure
- Install the Splunk Add-on for Unix and Linux.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=authentication action=success tag=remote host=* |table _time host user src app
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Look for events that are tagged |
|
Return successful authentications. |
|
Look for events that are tagged |
|
Search on any host. |
|
Display the results in a table with columns in the order shown. |
Next steps
The table below shows sample results for the search. This is a report of all successful authentications on the listed host, initiated by a specific user, from the source host, and the app being authenticated to.
_time |
host |
user |
src |
app |
---|---|---|---|---|
2020-09-28T21:25:09.000+0000 |
10.2.3.35 |
jerryl |
10.147.9.44 |
sshd |
2020-09-28T21:24:46.000+0000 |
10.2.2.2 |
scottj |
10.147.9.55 |
sshd |
2020-09-28T21:24:27.000+0000 |
10.2.5.2 |
root |
71.239.187.4 |
sshd |
2020-09-28T21:18:10.000+0000 |
10.2.7.1 |
jack.bauer |
24.15.129.15 |
sshd |
The data in this example is usually found in the Linux auth.log and is given the source type of linux_secure
by the Splunk add-on. Below are some sample full events.
|
|
|
Interesting fields that are extracted by the add-on include dest
(destination), pid
(process id), process
(process name), src_port
(port of the authentication process), sshd_protocol
, and user
. These fields can be used to analyze other authentication related metrics, such as users logged in at the same time from multiple remote locations.
Finally, you might also want to look at other similar searches to this in our article Managing *nix system user account behavior.