Suggested Searches for Linux OS

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

These suggested searches cover some of the most common scenarios for monitoring user activity and security activity on a Linux server. These searches work on RedHat, Debian, SuSe platforms, and their derivations (for example, CentOS, Ubuntu, OpenSuSe).

You can enter these queries into the Search box as a starting baseline, and then customize a query and time range for your system. Be sure to save your search queries if you plan to run them often.

It's assumed that common Linux OS logs are collected (for example: /var/log/*).

The _sourceCategory fields shown in these sample queries are based on the following Linux logs and their metadata:

Generic system log: Typically named /var/log/syslog or /var/log/messages
Meta field: SourceCategory = OS/Linux/System
Authentication log: Typically named /var/log/auth or /var/log/auth.log
Meta field: SourceCategory=OS/Linux/Security

These logs might have also been collected by the Collector (if selected during its installation).

User activity

These searches are intended to help you understand how privileged and non-privileged users are authenticating to and using your Linux servers.

Successful User Login events

Returns all successful remote and local logins by a user.

Suggested time range: -1 day

_sourceCategory=*linux* ("su:" or "sudo:" or "sshd:" or "sshd[" or "pam:") (("Accepted" and "pam") or "session" or ("to" and "on")) !"closed" | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*):\s+(?<message>.*)$" nodrop | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\S*)\[\d+\]:\s+(?<message>.*)$" nodrop | parse "session * for user * by *(uid=*)" as (action,dest_user,src_user,src_user_id) nodrop | parse regex "session (?<action>\w*) for user (?<dest_user>\S*)" nodrop | parse "Accepted keyboard-interactive/pam for * from * port * *" as (dest_user,src_hostname,src_port,protocol) | where dest_user!=""

All failed authentication attempts

Returns all failed authentication attempts by either a user or a process.

Suggested time range: -1 day

_sourceCategory=*linux* ("authentication failure" or "FAILED SU" or "input_userauth_request: invalid user" or "Invalid user" or "Failed publickey" or "Failed password") | parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse " user = * " as dest_user nodrop | parse "User *: Authentication failure" as dest_user nodrop | parse " user=*" as dest_user nodrop | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s+(?<_sourceHost>\S*)\s+" nodrop | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s+(?<dest_hostname>\S*)\s+(?<message>[^;]+)" nodrop | parse "ruser=* rhost=* user=*" as src_user, src_host, dest_user nodrop | parse "ruser= rhost=* user=*" as src_host, dest_user nodrop | parse " user=*\"" as dest_user nodrop | parse "Authentication failure for * from *" as dest_user, src_host nodrop | parse "FAILED SU (to *) * on" as dest_user, src_user nodrop | parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?:\S+) FOR (?<dest_user>\S+)," nodrop | parse "input_userauth_request: invalid user *" as dest_user nodrop | parse "Invalid user * from * port *" as dest_user, src_host, src_port nodrop | parse "Failed publickey for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for invalid user * from * port * *" as dest_user, src_host, src_port, protocol nodrop | if (!isEmpty(protocol), protocol, if (message matches "sshd[*", "ssh", protocol)) as protocol | where dest_user!="" | if (src_user="", dest_user, src_user) as src_user | if (src_host=" " or isEmpty(src_host), _sourceHost, src_host) as src_host | src_host as src_ip

Root activities

Returns all sudo/su attempts, or activities by "root" user. Modify to include other privileged users that you want to track in your environment.

_sourceCategory=OS/Linux/Security ("sudo" or "root" or "su") | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s" nodrop | extract "sudo:\s+(?<src_user>[^ ]+?)\s:.+?USER=(?<dest_user>[^ ]+?)\s+" nodrop | parse regex "COMMAND=(?<command>[^$]*)$" nodrop | parse " user * " as dest_user nodrop | parse " user *" as dest_user nodrop | where command !="" or dest_user in ("root") or src_user in ("root")

Failed SU attempts

Returns all failed SU attempts.

_sourceCategory=*linux*("authentication failure" or "FAILED SU" or "input_userauth_request: invalid user" or "Invalid user" or "Failed publickey" or "Failed password") ("su:" or "su[") | parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse " user = * " as dest_user nodrop | parse "User *: Authentication failure" as dest_user nodrop | parse " user=*" as dest_user nodrop | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s+(?<_sourceHost>\S*)\s+" nodrop | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s+(?<dest_hostname>\S*)\s+(?<message>[^;]+)" nodrop | parse "ruser=* rhost=* user=*" as src_user, src_host, dest_user nodrop | parse "ruser= rhost=* user=*" as src_host, dest_user nodrop | parse " user=*\"" as dest_user nodrop | parse "Authentication failure for * from *" as dest_user, src_host nodrop | parse "FAILED SU (to *) * on" as dest_user, src_user nodrop | parse "FAILED su for * by *" as dest_user,src_user nodrop | parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?<src_tty>\S+) FOR (?<dest_user>\S+)," nodrop | parse "input_userauth_request: invalid user *" as dest_user nodrop | parse "Invalid user * from * port *" as dest_user, src_host, src_port nodrop | parse "Failed publickey for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for invalid user * from * port * *" as dest_user, src_host, src_port, protocol nodrop | where dest_user!="" and src_user!="" | count as attempts by dest_hostname, src_user, dest_user | sort - attempts

Security activity monitoring

New users

Returns a list of all new users.

Suggested time range: -1 day

_ sourceCategory=OS/Linux/S* "useradd" and (("new user") or ("new account")) | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse "name=*, UID=*, GID=*, home=*, shell=*" as dest_user,dest_uid,dest_gid,home_dir,shell nodrop | parse "account=*, uid=*, gid=*, home=*, shell=*," as dest_user,dest_uid,dest_gid,home_dir,shell nodrop

New groups

Returns a list of all new groups.

Suggested time range: -1 day

_sourceCategory=OS/Linux/S* "new group" | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse "name=*, GID=*" as dest_group,dest_gid nodrop | parse "group=*, gid=*," as dest_group,dest_gid nodrop

Existing users added to privileged groups

Returns all messages that indicate a user being added to an administrative group. Modify this query to include the IDs or names of the administrative groups in your environment.

Suggested time range: -1 day

_sourceCategory=OS/Linux/S* "to group" or "default group changed" or "change user" | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse "add '*' to group '*'" as dest_user,dest_group nodrop | parse "account added to group - account=*, group=*, gid=*," as dest_user,dest_group,dest_gid nodrop | parse "account=*, uid=*, gid=*, old gid=*," as dest_user,dest_uid, dest_gid,src_gid nodrop | parse "change user '*' GID from '*' to '*'" as dest_user,src_gid, dest_gid nodrop | where dest_gid in("10","0","4") or dest_group in ("root", "wheel", "adm")

Failed Password Changes

Returns all failed attempts to change a user password.

Suggested time range: -1 day

_sourceCategory=OS/Linux/* "Authentication failure" | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[|:)" nodrop | parse "User *:" as dest_user nodrop | parse " user=*" as dest_user nodrop | where process_name="passwd"

System Start

Returns all incidents when the sytem starts (or restarts).

Suggested time range: -1 day

_sourceCategory=OS/Linux/System "Initializing cgroup subsys cpuset" | parse regex "^(?<StartTime>\S*\s+\d+\s+\d+:\d+:\d+)\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[\d+\]|):\s+" nodrop

Service Shutdown/Exiting

Returns all instances when a service is shutting down or exiting. (Note that this query cannot capture the cases when there is no log when a service is down.)

Suggested time range: -1 day

_sourceCategory=OS/Linux/System ("exiting" or "exited" or "terminating" or "terminated" or "shutting") | parse regex "\S*\s+\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S*)\s(?<process_name>\w*)(?:\[\d+\]|):\s+" | where process_name !=""