Tracking SSHD Login Activity in SplunkStorm

After a night out with my wife I decided to cre­ate a search for SSHD logins in Splunk Storm. See­ing that port 22 is open to the world on, I won­der how long before ran­dom bots start attempt­ing to log into it. As a secu­rity prac­ti­tioner its always inter­est­ing to see the effects of just being on the inter­net; and SplunkStorm is a great way to mon­i­tor those effects.

SSHD — Logins (Accepts and Failures)

sshd | rex field=_raw ”]: (?<sshd_action>.*) pass­word for (?<sshd_username>.*) from (?<sshd_ip>.*) port” | search sshd_action=”*” | table _time host sshd_action sshd_username sshd_ip

Here’s a look at the result:

If you’re run­ning syslog-ng, it’s super sim­ple to send your logs over to a Splunk instance. Below is what I added to my /etc/syslog-ng/syslog-ng.conf file where the X’s are val­ues pro­vided by your SplunkStorm admin console:

des­ti­na­tion d_splunk { tcp(” port(XXXXX)); };
log { source(src); destination(d_splunk); };

Leave a Reply