topic Re: Help with alert set up in Alerting

How to create an alert based on syslog login and logout data?

vrmandadi — Sun, 22 May 2022 19:47:47 GMT

I want to create an alert based on syslog login and logout data.I want the alert to be triggered when a session is opened for but doesnt have a session closed for a particular session id and if that session is opened for more than 8 hours compared to the time the splunk alert is scheduled.

For example if a session is opened by a user at 8AM and if he doesnt log off by 4PM which is more than 8 hrs than it needs to be alerted by giving the user session id

Following are the sample data for login and logoff sessions

2022-05-21T20:00:02.048677-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session closed for user abc

2022-05-21T20:00:02.041845-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session opened for user abc by (uid=0)

Re: Help with alert set up

gcusello — Sun, 22 May 2022 08:20:30 GMT

Hi @vrmandadi,

please try something like this:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h | eval type=if(searchmatch("session opened for user"),"open","close") | stats first(if(eval(type="open"),_time,"") AS earliest latest(if(eval(type="close"),_time,"") AS latest dc(type) AS dc_type values(type) AS type BY user | where dc_type=1 AND type="open" | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S), latest=strftime(latest,"%Y-%m-%d %H:%M:%S) table user earliest latest

Ciao.

Giuseppe

Re: Help with alert set up

vrmandadi — Sun, 22 May 2022 14:53:32 GMT

@gcusello

I got the following error "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%m-%d %H:%M:%S)'."

I think there is an issue starting from
| where dc_type=1 AND type="open"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S)
| table session_user earliest latest

Also running the search without the where clause doesnt show any value for earliest and latest time.

session_user earliest latest dc_type type

abc

open

Re: Help with alert set up

gcusello — Mon, 23 May 2022 06:24:09 GMT

Hi @vrmandadi,

sorry! the quotes in the evals and the pipe before table:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h | eval type=if(searchmatch("session opened for user"),"open","close") | stats first(if(eval(type="open"),_time,"") AS earliest latest(if(eval(type="close"),_time,"") AS latest dc(type) AS dc_type values(type) AS type BY user | where dc_type=1 AND type="open" | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | table user earliest latest

Re: Help with alert set up

vrmandadi — Mon, 23 May 2022 14:01:52 GMT

I still dont see the earliest and latest time...may be the strptime format needs to be changed..Below is the sample event.

2022-05-23T06:00:01.676861-07:00 login-1 CRON[114336]: pam_unix(cron:session): session closed for user abc

2022-05-23T06:00:01.670790-07:00 login-1 CRON[114336]: pam_unix(cron:session): session opened for user abc by (uid=0)

Re: Help with alert set up

gcusello — Mon, 23 May 2022 15:20:31 GMT

Hi @vrmandadi,

no the strftime is only to format the output not to read because _time is in epochtime.

Could you share the search you're using?

Ciao.

Giuseppe

Re: Help with alert set up

vrmandadi — Mon, 23 May 2022 15:37:16 GMT

index=abc session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user
| where dc_type=2 AND type="close"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table session_user earliest latest

Re: Help with alert set up

gcusello — Tue, 24 May 2022 06:39:09 GMT

Hi @vrmandadi,

debug your search starting from the end deleting one row at a time,

in other words: if you run

index=abc session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h | eval type=if(searchmatch("session opened for user"),"open","close")

have you both values for type?

what does it happen if you run

Ciao.

Giuseppe

Re: Help with alert set up

vrmandadi — Tue, 24 May 2022 14:09:57 GMT

Yes I did the line to line search and I see that when it comes to below..it doesnt show earliest and latest...it shows blank

| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user