topic Re: How to monitor user activity (logon and logoff) in Getting Data In

How to monitor user activity (logon and logoff)

gntavelis — Wed, 08 Apr 2020 17:20:02 GMT

Hello,

Excuse my lack of expertise with Splunk. Could you please let me know how i can track when a specific user logon and logoff from the computer? I am using a universal forwarder to the dc only for the security logs. I can see that i have inside splunk server a lot of events. So it must be working.

Thank you

Re: How to monitor user activity (logon and logoff)

gcusello — Wed, 08 Apr 2020 17:52:44 GMT

Hi @gntavelis,
if you have DC logs, surely you have the following EventCodes that are related to Login, Logout and LogFail:
Login 4624, logFail 4625, LogOut 4634.
So you can search something like this:

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634
| table _time user EventCode EventCodeDescription

Ciao.
Giuseppe

Re: How to monitor user activity (logon and logoff)

gntavelis — Wed, 08 Apr 2020 19:18:25 GMT

Giuseppe thank you very much for your reply.

Where i must copy paste the SPL statement? On the search box?
if yes i am getting the following errors:

Error in 'search' command: Unable to parse the search: unbalanced parentheses.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Re: How to monitor user activity (logon and logoff)

MuS — Wed, 08 Apr 2020 20:42:33 GMT

Hi gntavelis,

try this on your search head:

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
 | table _time user EventCode EventCodeDescription

the original post was missing a ) in the SPL.

cheers, MuS

Re: How to monitor user activity (logon and logoff)

gcusello — Thu, 09 Apr 2020 06:49:29 GMT

Hi @gntavelis,
Sorry! I forgot the second parenthesis!

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
| table _time user EventCode EventCodeDescription

Then you can save this search in a report or in a dashboard panel.

Only one attention: in Windows an access to the system generates many login events, so this could seem that your user accessed the system many times more than the reality, you should filter events dedupping the events for _time user and host.

Ciao.
Giuseppe

Re: How to monitor user activity (logon and logoff)

to4kawa — Thu, 09 Apr 2020 08:23:32 GMT

how about security essentials?

Re: How to monitor user activity (logon and logoff)

gntavelis — Tue, 14 Apr 2020 12:37:23 GMT

Problems...

I am using the trial (free) version of splunk and due to the number of events i think i violated the license.
Is there a way to forward specific events from the domain controller to splunk? Maybe by using a subscription on the event viewer? Now i am using splunk universal forwarder that is installed on the domain controller and i do have the option to select only the security logs but i dont have the option to select specific events....

Please help
Thank you

Re: How to monitor user activity (logon and logoff)

gcusello — Tue, 14 Apr 2020 14:14:00 GMT

Hi @gntavelis,
you can filter events in the Universal Forwarder.
In inputs.con on the Domain Controller:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = EventCode\=4624|4634|4625
index = wineventlog
renderXml=false

Ciao.
Giuseppe

Re: How to monitor user activity (logon and logoff)

gntavelis — Wed, 15 Apr 2020 13:44:51 GMT

Hello Giuseppe! Thank you for your answer...

I searched inside the splunk universal forwarder directory and there is a directory with name input and lets say 6 or 7 inputs.conf files. could you please tell me which conf file i have to edit?

image: https://imgur.com/XynPDRa

Re: How to monitor user activity (logon and logoff)

gcusello — Wed, 15 Apr 2020 14:56:45 GMT

Hi @gntavelis,
inputs.conf usually is in $SPLUNK_HOME/etc/apps/your_TA/local
probably, the TA's name is TA_Windows, so open your $SPLUNK_HOME/etc/apps/TA_Windows/local/inputs.conf;
you should find the stanza [WinEventLog://Security];
in this stanza add the whitelist = EventCode\=4624|4634|4625 row and restart Splunk.

If you have many Universal Forwarder, probably you're managing them using a Deployment Server, in this case, you have to modify the TA_Windows on Deployment Server, not directly on Universal Forwarders.

Ciao.
Giuseppe