topic Re: Report to monitor logon/logoff time and duration on Windows in Getting Data In

Report to monitor logon/logoff time and duration on Windows

ejwade — Fri, 14 Oct 2016 23:53:25 GMT

I was using the following question/answer:

How can I use windows events to monitor logon sessions
https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.html

But I need to create a report that lists Logon time, Logoff time, and Duration by User and Computer. Do you know how to alter this search string to achieve this?

Thank you.

Re: Report to monitor logon/logoff time and duration on Windows

sundareshr — Sat, 15 Oct 2016 00:04:16 GMT

Try this

 source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
 | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
 | eval User=lower(User)| search NOT User=*$
 | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
 | eval Logofftime=Logontime+duration
 | convert ctime(_time) as Logontime
 | convert ctime(Logofftime) as Logofftime
 | eval Duration=round((duration/60), 0) 
 | table Logontime, Logofftime, and Duration User Computer 
 | sort User Computer

Re: Report to monitor logon/logoff time and duration on Windows

thambisetty_bal — Sun, 16 Oct 2016 06:16:18 GMT

Hi,
How are you getting logontime field which was used in line 5. This is not working.

Re: Report to monitor logon/logoff time and duration on Windows

caseynordell — Tue, 11 Apr 2017 19:09:07 GMT

I too cannot get this to work for me. It creates a table with the users and Logontimes, but the Logofftime is always blank and duration always equals zero. I've been tinkering with it all day but cannot get it to fully work. It seems so close though!
I feel like the way it is defining duration and Logofftime is cyclical and self-referential...

Re: Report to monitor logon/logoff time and duration on Windows

caseynordell — Tue, 11 Apr 2017 20:01:52 GMT

To be specific, I am needing to tracking logon/logoff times for a specific workstation. I've installed the Splunk forwarder and configured it to forward the Security log to our index. Here is the code I am using:

index=MyIndex host="MyMachineName" sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=*
  | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
  | eval User=lower(User)| search NOT (User=*$ OR User=system)
  | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
  | eval Logofftime=Logontime+duration
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
  | eval Duration=round((duration/60), 0) 
  | table Logontime, Logofftime, and Duration User host 
  | sort User host

And as a result, I'm getting a table which has:
Logontime column with a series of logon times
Logofftime column which is always blank
Duration column which is filled with zeros
User column which has a list of users (one for each logontime)
host column which has the machine name repeated (this is here because eventually I want to monitor five machines total)

it seems so close... if I could just get it to fill in the logoff and duration columns, my boss would be so happy. But I can't seem to figure it out any further than this... can anyone provide assistance? Thanks.

Re: Report to monitor logon/logoff time and duration on Windows

kenoski — Tue, 11 Apr 2017 22:40:48 GMT

The search is referencing Logontime before it is being defined.

This
| eval Logofftime=Logontime+duration

should be
| eval Logofftime=_time+duration

Hope this helps.

Re: Report to monitor logon/logoff time and duration on Windows

caseynordell — Wed, 12 Apr 2017 15:03:39 GMT

Thanks. Changing this has filled in the "Logofftime" column, but the logon and logoff times are the same. I think this is because duration still equals zero. Getting closer...

Re: Report to monitor logon/logoff time and duration on Windows

kenoski — Mon, 17 Apr 2017 15:14:44 GMT

I saw both those that are 0 in length and others with longer times being displayed in my search

Re: Report to monitor logon/logoff time and duration on Windows

dharveynswccd — Thu, 09 Aug 2018 12:44:25 GMT

Hi guys, did anyone get this to display the proper logoff times? I'm running into the same dilemna where the logoff time is the same as the logon time.

Re: Report to monitor logon/logoff time and duration on Windows

caseynordell — Thu, 09 Aug 2018 13:12:55 GMT

I can only speak for myself: I never got this work satisfactorily 100% of the time.
Not only did logoff times sometimes report incorrectly (as the same as logon), but also different people's logins would often overlap and mess up the calculations.
In the end, I think we went with another solution besides splunk (I'm not certain because the project was handed off to someone else).

Re: Report to monitor logon/logoff time and duration on Windows

GoneSplunking — Tue, 16 Oct 2018 18:11:22 GMT

Here is what I did to get it to work properly
index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table host, user, Logontime, Logofftime, duration
| sort user, host, -duration
| rename duration AS "Duration (seconds)"

Re: Report to monitor logon/logoff time and duration on Windows

dharvey32 — Wed, 17 Oct 2018 12:40:28 GMT

@GoneSplunking: Glad to hear this is working for you. However, this doesn't work for me. Still plugging away at this. Thanks though

Re: Report to monitor logon/logoff time and duration on Windows

GoneSplunking — Thu, 18 Oct 2018 17:06:32 GMT

I made a slight change for readability on my part. Does any part of the query work?

Re: Report to monitor logon/logoff time and duration on Windows

jason_hotchkiss — Wed, 27 Dec 2023 17:39:06 GMT

Here is my contribution to this topic, since it now almost 2024.

index="wineventlog" source="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4647 Account_Name=* action=success ComputerName=* earliest=-1d@d latest=@d | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | eval User=lower(User) | search NOT User IN (*$, system) | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4647" maxspan=-1 | eval Logontime=if(EventCode="4624",_time,null()) | eval Logofftime=Logontime+duration | eval Duration=round(duration/60/60, 2) | convert ctime(Logontime) as Logontime | convert ctime(Logofftime) as Logofftime | table User ComputerName Logontime Logofftime Duration EventCode Logon_Type | sort user, host, -Duration | rename duration AS "Duration (hours)"

For my use case I was looking for interactive sessions or sessions initiated by the user. The log off event is 4647. The previous days events are being collected using the earliest and latest settings. I converted my time to hours with two decimal places. Lastly, I excluded the system account.

Thanks to all those who contributed to the previous solutions they were really helpful.