Skip to main content
 
 
 
Splunk Lantern

Successful logins to a *nix server

 

Gaining access to a production system opens the door for users to make undesirable changes, which can subsequently lead to an incident or outage. You want the ability to see who logged into a system just prior to an incident so you can quickly identify the root cause or determine who to consult for further investigation.

Procedure

  1. Install the Splunk Add-on for Unix and Linux.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=authentication action=success tag=remote host=*
|table _time host user src app

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=authentication

Look for events that are tagged authentication. The tag is supplied by Splunk add-on listed above.

action=success

Return successful authentications.

tag=remote

Look for events that are tagged remote.

host=*

Search on any host.

|table _time host user src app

Display the results in a table with columns in the order shown.

Next steps

The table below shows sample results for the search. This is a report of all successful authentications on the listed host, initiated by a specific user, from the source host, and the app being authenticated to.

_time host user src app

2020-09-28T21:25:09.000+0000

10.2.3.35

jerryl

10.147.9.44

sshd

2020-09-28T21:24:46.000+0000

10.2.2.2

scottj

10.147.9.55

sshd

2020-09-28T21:24:27.000+0000

10.2.5.2

root

71.239.187.4

sshd

2020-09-28T21:18:10.000+0000

10.2.7.1

jack.bauer

24.15.129.15

sshd

The data in this example is usually found in the Linux auth.log and is given the source type of linux_secure by the Splunk add-on. Below are some sample full events.

Oct 23 19:43:12 acmepayroll sshd[29253]: Accepted password for root from 10.11.36.11 port 2958 ssh2

Oct 23 19:39:30 HOST0170 sshd[25089]: [ID 800047 auth.info] Accepted publickey for naughtyuser from 10.11.36.49 port 50241 ssh2

Oct 23 19:36:55 HOST0170 sshd[25089]: [ID 800047 auth.info] Accepted publickey for naughtyuser from 10.11.36.5 port 50241 ssh2

Interesting fields that are extracted by the add-on include dest (destination), pid (process id), process (process name), src_port (port of the authentication process), sshd_protocol, and user. These fields can be used to analyze other authentication related metrics, such as users logged in at the same time from multiple remote locations.

Finally, you might also want to look at other similar searches to this in our article Managing *nix system user account behavior.