Syslog 數據表的查詢

  • 發行項

尋找 Linux 核心事件

尋找 Linux 核心進程所報告有關已終止進程的事件。

// To create an alert for this query, click '+ New alert rule'
Syslog
| where ProcessName == "kernel" and SyslogMessage contains "Killed process"

所有 Syslog

最後 100 個 Syslog。

Syslog 
| top 100 by TimeGenerated desc

所有具有錯誤的 Syslog

最後 100 個 Syslog 與 erros。

Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| top 100 by TimeGenerated desc

依設施排序的所有 Syslog

所有依設施的 Syslog。

Syslog 
| summarize count() by Facility

依行程名稱排序的所有 Syslog

依行程名稱的所有 Syslog。

Syslog 
| summarize count() by ProcessName

依電腦新增至Linux群組的使用者

清單 已將使用者新增至Linux群組的電腦。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added')
| summarize by Computer

由電腦建立的新 Linux 群組

清單 建立新 Linux 群組的電腦。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'new group'
| summarize count() by Computer

失敗的Linux使用者密碼變更

清單 失敗的Linux使用者密碼變更電腦。

Syslog
| where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed')
| summarize count() by Computer

Ssh 登入失敗的電腦

清單 登入失敗的計算機。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure'))
| summarize count() by Computer

失敗 Su 登入的電腦

清單 失敗的 su 登入電腦。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU')
| summarize count() by Computer

失敗 Sudo 登入的電腦

清單 失敗 sudo 登入的電腦。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers')
| summarize count() by Computer