Task: Query Logs

Step 1

• Start your Ubuntu virtual machine. Attempt to log in five times using an incorrect password. On your sixth attempt, log in with the correct password.

Step 2

• Click Activities, search for terminal, and open it.

Step 3

• Use the command sudo /opt/splunk/bin/splunk start to verify that the Splunk daemon is running.

Step 4

• Click the Firefox icon to open the browser, and browse to 127.0.0.1:8000.

Step 5

• Enter username admin, and password Aa123456, to sign in.

Step 6

• Click Search and Reporting.

Step 7

• Write the query source="/var/log/auth.log" and click the search icon.

Step 8

• Locate the log of the command executed in the terminal with root permissions.

Step 9

• Use the query source="/var/log/*" to display all the logs from var/log/.
• Note that an asterisk (*) is used to display all.

Step 10

• Note that all logs located in /var/log/ are displayed.

Step 11

• Use the query source="/var/log/auth.log" authentication failure to display all logs of authentication failures that show users who failed to log in.
• Change the search time frame to the last 24 hours.

Step 12

• Note the records of failed login attempts with the user john.

Step 13

• Expand one of the logs, click the user john, and then click Add to search.
• This will filter the results to display only failed logins of the user john.

Step 14

• Note the value that was added to the search bar automatically.