0

I am trying to write a query via splunk to find SSH logs used for authentication in Linux. Any ideas as to the query needed to writer to achieve this? I am new to splunk so any information would help.

Here is what I have started but to no avail:

sshd "Invalid user" NOT port NOT "preauth]" | iplocation InvalidSSHIP

Coder123
  • 334
  • 6
  • 26
  • 1
    What data sources are you currently ingesting? What index does the data reside in? Do you have permissions to see the data? – warren May 27 '20 at 18:53

1 Answers1

0

I strongly suggest you use the Splunk TA for Nix, https://splunkbase.splunk.com/app/833/

In it, you will find common inputs and field extractions for SSH event logs, as well as other common *nix formats.

If you follow this TA, you should be able to find the events you are looking for with the following search

index=os eventtype=ssh*
Simon Duff
  • 2,631
  • 2
  • 7
  • 15