Visualizing sshd brute-force attempts (part 2)
It's always better to Read The Fine Manual (or run perl afterglow.pl -h for the more updated helpfile)...though it's not really that well documented 
Afterglow allows for two column inputs, rather than us having to do weird tricks to make them 3-column.
(Note to self: get the raw data with fields in the order that you want where possible/faster, rather than pumping it through sed. Makes for good practice though.)
Using the csv file containing userids (visualized in yellow) and IPs (visualized in green) over the past few months from Splunk, here're the results of some of the experiments.
Oh, for the Windows users, you can use type instead of cat 
First test using GraphViz's neato to layout:
perl afterglow.pl -b 1 -i <infile> -c color.properties -t | neato -Tgif -o output.gif
Huge, but better visualized with -e 5 option (Resulting image for that is too huge to upload though ). Note the single IP in the middle (the yellow explosion) that had been trying a LOT of userids to date.
Second test using fdp:
perl afterglow.pl -b 1 -i <infile> -c color.properties -t | fdp -Tgif -o output.gif
fdp doesn't seem to be well suited for this
Third test using sfdp:
No command here, you should have noticed the pattern from the first two...
_even_ less suited for this type of data...
Last test using twopi:
According to the GraphViz site, twopi's more suited for visualizing stuff like telecommunications flows.
twopi
Getting additional (IP/network/location) info along with your Splunk searches
Chanced upon some of the info by accident (smack at the bottom of one part of the Splunk documentation...), but I can't find it now. Going to share here anyway 
Some (or probably most/all) of your searches might involve public IP addresses, and more often than not we would want to have additional info along with the IP address to work with.
Three of the things that we could do in Splunk automatically would be to get IP-location info, or to reverse lookup an IP to a domain, or to lookup a domain to an IP.
Fun with Splunk: SSHD
Thought I'd share a bit on the tip of the iceberg, on what can be done with Splunk. Linux command line tools are still much needed for raw log analysis (since we can't have the luxury of having a Splunk installation around and ready whenever we need it), but if setup and running properly, Splunk can be pretty helpful (and not to mention faster) for some things.
(This post is pretty unpolished, partly because I can't be bothered to fiddle around with fitting the search strings into the width of the post, etc. Nonetheless, comments/discussions are always welcome heh)
One of my favourite tasks with log analysis is to get information on those people/bots which are brute forcing SSHD, so let's start with SSH attacks as an example.