topic Re: How to identify user activities login / logout (reason to logout)? in Getting Data In

How to identify user activities login / logout (reason to logout)?

godaba — Tue, 05 Jul 2022 19:57:05 GMT

Hi Team,

I am a learner, so want to know about identifying the session login / logout time periods of an users and reasons for the activities.

Re: How to identify user activities login / logout (reason to logout)?

ITWhisperer — Wed, 06 Jul 2022 05:42:38 GMT

Start with the data

Do you have it already ingested into Splunk?

Do you understand the data?

Can you write a search to find speed up interpretation of the data?

How do you want to represent the information you have obtained by analysing the data?

Re: How to identify user activities login / logout (reason to logout)?

gcusello — Wed, 06 Jul 2022 06:46:41 GMT

Hi @godaba,

Anyway, your question is just a little vague because depends on what technologies you have as inputs, what's the purpose of your analysis, and what's your knowledge of Splunk.

In other words:

at first you have to list all the technologies that you have as inputs (e.f. windows, linux, Cisco ASA, etc...),
then you have to identify the rules for each source (e.g. win login is EventCode=4624, win logfail is EventCode=4625, etc...),
then you have to create an eventtype for each condition and associate to it a tag (e.g.: LOGIN, LOGOUT, LOGFAIL),
then you can run a search on these tags using SPL.

These aren't jobs to do via GUI, for this reason I ask you: what's you knowledge of Splunk getting data in and Splunk language (SPL)?

You need both of them.

You can find many videos about getting data in on Splunk YouTube Channel and the tutorial for SPL at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

Re: How to identify user activities login / logout (reason to logout)?

godaba — Wed, 06 Jul 2022 07:24:48 GMT

I am a learner to Splunk, as an initial requirement, just want to monitor the User's from windows ( AD Users ), when they logged in / activity performed by them / logout reason etc..Please guide if need more inputs on this. Possible to view the reports from GUI?

Re: How to identify user activities login / logout (reason to logout)?

gcusello — Wed, 06 Jul 2022 07:48:02 GMT

Hi @godaba,

as I said, you need at first to take and parse logs from Windows servers.

You can do this deploying to your Domain Controllers the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/).

Before deploying it, you have to enable the inputs, you need, for this Use Case at least wineventlog:security.

I suppose that you already installed and configured your Universal Forwarders to send data to Splunk Enterprise.

In this way, you have logs for searching.

So you can run a simple search like this following:

index=wineventlog EventCode IN ("4624","4525","4634") | stats count BY EventCode

In this way you have the login, logout and logfail logs.

Ciao.

Giuseppe

Re: How to identify user activities login / logout (reason to logout)?

godaba — Wed, 06 Jul 2022 11:55:05 GMT

Thanks for assistance Giuseppe, to get on hand.

So GUI is not possible for my requirement right, as suggested by you, I will follow the videos to get more.

Could you please help me in better understanding of this command below.

index=wineventlog EventCode IN ("4624","4525","4634")

Re: How to identify user activities login / logout (reason to logout)?

gcusello — Wed, 06 Jul 2022 12:19:11 GMT

Hi @godaba,

it's the same thing to use:

index=wineventlog (EventCode=4624 OR EventCode=4525 OR EventCode=4634)

Ciao.,

Giuseppe