Hello Splunk Community,
I am new to Splunk so please bear with me. My end goal is to construct a dashboard summary of our fail2ban intrusion prevention framework. The current panel I am attempting to construct should correlate the list of temporarily banned IPs from fail2ban with the corresponding SSH logs. I could then for example pull out the attempted usernames or the total count of SSH attempts from a particular IP.
A sample of a fail2ban log and a corresponding SSH logs:
May 28 11:39:33 [hostname] fail2ban.actions: WARNING [ssh] Ban 42.121.111.136
May 28 11:39:32 [hostname] sshd[9748]: Failed password for invalid user HonestQiao from 42.121.111.136 port 14130 ssh2
May 28 11:39:28 [hostname] sshd[9746]: Failed password for invalid user 5s1admin from 42.121.111.136 port 13918 ssh2
May 28 11:39:24 [hostname] sshd[9744]: Failed password for root from 42.121.111.136 port 13734 ssh2
I can retrieve all of the desired events and extract the banned IPs with the following search:
(process=sshd "failed password") OR process=fail2ban.actions | rex "fail2ban.actions: WARNING .* Ban (?<fail2ban_ip>\d+\.\d+\.\d+\.\d+)"
I then want to drill down to only viewing the SSH logs from the banned IPs. I believe this can be done with the transaction command but my attempts to filter by fail2ban_ip have proven fruitless. I tried:
... | transaction fail2ban_ip
which groups by banned IP fine but only shows the fail2ban logs instead of SSH. Using "src_ip" or "fail2ban_ip, src_ip" as the transaction field list shows SSH logs for all IPs (including unbanned) or an empty result respectively.
I browsed quite a few transaction examples but couldn't find something that helped me out. Any advice on how to use transaction or how to better approach the problem would be greatly appreciated.