Majed Saeed
← Writing

Reading SSH auth logs in Splunk

Detection · Draft

Authentication logs are noisy by nature — people mistype passwords all day. The job of a detection is to separate that noise from a pattern that means something.

What an attack looks like in the data

A brute-force attempt is many failures, against one or a few accounts, from one source, in a short window. That sentence is the detection.

A starting search

Aggregate failed logins by source and user over a window, then alert when the count crosses a threshold:

index=linux sourcetype=linux_secure "Failed password"
| stats count by src_ip, user
| where count > 10
| sort - count

Tuning

  • Too sensitive and the alert is noise you'll learn to ignore.
  • Too loose and a slow, patient attack slips under it.

Start strict enough to be quiet, then loosen only if you're missing real attempts. A detection nobody trusts is worse than none.