graylog splunk search user key word

查詢使用者登入密碼錯誤

訊息:

user="s0116" group="N/A" authproto="HTTPS(10.10.66.216)" action="authentication" status="failure" reason="invalue username/password" msg="User s0116 failed in authentication"

查詢:  "s0116" && "invalue username/password"

或

使用 splunk (只記錄登入登出紀錄)

查詢:  "s0116"

******************************************************
search mail keyword

search keyword:
"zxcv2020123@outlook.com" AND source:mg

message

mg postfix/cleanup[5592]: 08BBE132: warning: header Subject:? =?gb2312?B?1sK437LNtPPIq9Cj0KOE1c6vhlSjrNPQ6lDQo4TVlf7XaNDCyM7Qo+lM33g=?=? =?gb2312?B?xWWV/tdo1vfPr7C4?= from mail-db8eur05olkn2075.outbound.protection.outlook.com[40.92.89.75]; from=<zxcv2020123@outlook.com> to=<ej@mail.nkuht.edu.tw> proto=ESMTP helo=<EUR05-DB8-obe.outbound.protection.outlook.com>

source

mg

timestamp

2019-12-30T08:50:51.000Z

*************************************************
date=2017-09-14 time=00:27:44 devname=FG1K5D devid=FG1K5D3I15802166 logid=0102043008 type=event subtype=user level=notice vd="root" logdesc="Authentication success" srcip=192.168.202.158 dstip=192.168.250.86 policyid=0 user="A0411018" group="auth_user_group" authproto="HTTP(192.168.202.158)" action=authentication status=success reason="N/A" msg="User A0411018 succeeded in authentication"

search keyword:
192.168.202.158 AND success
192.168.12.150 AND authentication

***************************************************
search keyword:   nf_src_address:192.168.30.148

****************************************************

查mail 紀錄 30天 與中山大學有無信件往來(hsiao@mail.nkuht.edu.tw)