I am trying to write a query via splunk to find SSH logs used for authentication in Linux. Any ideas as to the query needed to writer to achieve this? I am new to splunk so any information would help.
Here is what I have started but to no avail:
sshd "Invalid user" NOT port NOT "preauth]" | iplocation InvalidSSHIP
I strongly suggest you use the Splunk TA for Nix, https://splunkbase.splunk.com/app/833/
In it, you will find common inputs and field extractions for SSH event logs, as well as other common *nix formats.
If you follow this TA, you should be able to find the events you are looking for with the following search
index=os eventtype=ssh*
Related
I have signed up for 30 day trial version for snowflake, as part of learning I am trying to run the Snowsql (client) from my windows desktop. I installed client from snowflake client repository (account name, username and password are all correct).
Got the following error:
C:\Users\ugain>snowsql -a vg49826 -u ugainedi
Password:
**250001 (08001): Failed to connect to DB. Verify the account name is correct: vg49826.snowflakecomputing.com:443. HTTP 403: Forbidden
If the error message is unclear, enable logging using -o log_level=DEBUG and see the log to find out the cause. Contact support for further help.
Goodbye!**
Appreciate the help. Thank you!
Go to your account using the Snowflake web UI and look at the URL. Since there is no account vg49826.snowflakecomputing.com, that means you're running Snowflake somewhere other than on AWS_US_WEST_2. That's the only region that does not include the region in the account name for connection purposes.
Copy the portion of the URL up to but not including "snowflakecomputing.com". It will be something like vg49826.us-east-1, vg49826.east-us-2.azure, or something similar. Your Snowflake account, for the purposes of connecting to SnowSQL is the portion of the URL after https:// and before snowflakecomputing.com in the web UI URL.
I have running mosquitto and I want to do that only one client can connect to topic as publisher (maybe with password or something) others can only conncet as subscriber.
Defining topic and user access rights at conf file is the way that. But in my application topics are created dynamically at run time.
How can I achieve this?
Thanks
See mosquitto-auth-plug
... plugin can perform authentication (check username / password) and
authorization (ACL).
You may need to modify one of the backends suited for you if you want to have a dynamic behavior on topic authorization. See be_jwt_aclcheck functions.
We have an slapd server that has started generating many err=49 lines in /var/log/ldap for a particular service acc. err=49 is logged when the bind has failed. Through searching for the connections I can see that the source is localhost.
I have checked that the acc is active using ldapsearch. I have tried grepping through /etc for the service acc name to see what could be using to no avail.
How can I identify the source of the ldap queries to help investigate the issue?
Instead of trying to work from a connection perspective I continued looking from a log perspective:
awk '/from IP=127.0.0.1/ {print substr($3,1,5)}' /var/log/ldap |sort -n|uniq -c
This showed hits on the hour, searching cron.hourly found the suspect. My ideology of grepping for username was flawed based on the way the particular cron.hourly'ed script worked.
I configured ldaps by refering http://linuxtechres.blogspot.com/2010/04/how-to-configure-ldaps-or-starttls.html.
after that when I try to ldapsearch, it wont display any resulsts.
entries are there in ldap, as I will get error if I try to ldapadd them .
If I remove TLS related info from ldap.conf and slapd.conf , ldapsearch works nicely and display all entries.
Can someone help please?
Do you have some minimum level of confidentiality required in your config file? Also the way the ACLs work is that they stop processing after the first hit (in general) so if you have an ACL on a specific user type that is extremely limiting that may be what causes your situation. The admin account can always see everything in case you do mess things up.
Probably late for this, but... Have you tried the ldapsearch/ldapadd option "-ZZ"?
What you want to do is look at the slapd.log file and see what error the OpenLDAP server is returning when you try to connect. Then you will have a hint of where to go next.
I have been looking for information or examples of how to setup an IDM driver for Apple Open Directory. The articles I have found don't give much detail and pretty much no actual technical content.
I am using the LDAP driver and can connect and create a user on the OD side. However, the issue I am running into is how to set and synchronize passwords. Since it appears that the LDAP driver is not able to set the encrypted password correctly I was going to use dscl to set the password after the user is created by the driver. Since this step must occur after the XDS is submitted on the subscriber channel, can I create a follow-up event to trigger the dscl command or can I use the status message that comes back on the publisher channel?
It seems like synchronizing eDir to Apple Open Directory with IDM should not be something new. I am a little surprised that there is not an existing driver configuration in the Designer palette or at least some more detailed examples or discussions in the forums.
The answer I worked out was to write custom Java classes to make command line calls to the ODM server to set the password and also to do some group updates. 90% of the work is done using the standard LDAP driver.