https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485814#M59738 <P>Hi @gcusello </P> <P>Not just me then. I don't really have the permissions to run scripts on clients.</P> <P>Was hoping for an indicator of a true login within the logs or a method to make the results more accurate.</P> <P>We use smart cards to authenticate and ideally logging when a smart card is inserted to login or removed to log out would be ideal but struggling to get this information in the logs.</P> Tue, 21 Jan 2020 12:36:04 GMT nathanluke86 2020-01-21T12:36:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485810#M59734 <P>Hello Splunkers,</P> <P>Is it just me or are Windows Auth events ridiculously noisey.</P> <P>I am trying to get accurate login/logout information but the events show multiple success and logoff events for the same attempt judging by time. I thought this might be duplicate logs but they all have different record ID's as below.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8230i89C98760022CC8CC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is this just windows in general or might this be an issue with how our DC's (5 in total) log or are setup.</P> <P>multiple successes in a row with the same time stamp are mainly for 1 dc so not just multiple dc attempts to authenticate if that makes sense.</P> Tue, 21 Jan 2020 10:48:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485810#M59734 nathanluke86 2020-01-21T10:48:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485811#M59735 <P>I see duplicate logs,<BR /> <CODE>21/01/2020 08:28:04.000 ipAddress 10.200.33.211 EventID 4624</CODE><BR /> What is the query?</P> Tue, 21 Jan 2020 10:57:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485811#M59735 to4kawa 2020-01-21T10:57:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485812#M59736 <P>Hi @nathanluke86,<BR /> Windows generates much noise (every login usually generates between 10 and 13 login/logout events!).<BR /> You should try to group events using transform command.<BR /> I had this problem and I solved in a different way: I executed every 5 minutes on clients a script with the command "query user" that extract the connected uses and gives infos about login and logout.<BR /> This script with the inputs.conf were in a dedicated Technical Add-on.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 21 Jan 2020 11:08:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485812#M59736 gcusello 2020-01-21T11:08:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485813#M59737 <P>@to4kawa </P> <P>all the logs have different record id's so are not duplicate logs.</P> <P>This was my first impression but turns out they are not.</P> <P>Thanks for the input, much appreciated</P> Tue, 21 Jan 2020 12:27:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485813#M59737 nathanluke86 2020-01-21T12:27:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485814#M59738 <P>Hi @gcusello </P> <P>Not just me then. I don't really have the permissions to run scripts on clients.</P> <P>Was hoping for an indicator of a true login within the logs or a method to make the results more accurate.</P> <P>We use smart cards to authenticate and ideally logging when a smart card is inserted to login or removed to log out would be ideal but struggling to get this information in the logs.</P> Tue, 21 Jan 2020 12:36:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485814#M59738 nathanluke86 2020-01-21T12:36:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485815#M59739 <P>Hi @nathanluke86,<BR /> see if your SmartCards give additional logs!<BR /> Windows isn't so clear in logins, you could use transaction command with options (maxspan=1h startswith="EventCode=4624)" endswith="EventCode=4634") but isn't so precise!</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 21 Jan 2020 12:56:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-authentication-creates-to-much-noise/m-p/485815#M59739 gcusello 2020-01-21T12:56:10Z