https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356210#M105429 <P>Samples events are below:</P> <P>VDI logon events:<BR /> "An account was successfully logged on.</P> <P>Subject:<BR /> Security ID: NULL SID<BR /> Account Name: -<BR /> Account Domain: -<BR /> Logon ID: 0x0<BR /> Logon Type: 3</P> <P>Impersonation Level: Impersonation</P> <P>New Logon:<BR /> Security ID: LB\DEV1$<BR /> Account Name: DEV1$<BR /> Account Domain: LB<BR /> Logon ID: 0x894B5E95<BR /> Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}</P> <P>Process Information:<BR /> Process ID: 0x0<BR /> Process Name: -"</P> <P>Application logon sample: (these differ per application) - Use of the root account in linux<BR /> "su: pam_unix(su-l session): session opened for user root by (uid-=0)"</P> Tue, 20 Jun 2017 19:08:40 GMT scc00 2017-06-20T19:08:40Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356206#M105425 <P>I am attempting to track user activity from vdi login to the use of a shared account to log into an application. For example, <CODE>user</CODE>=<CODE>Tim</CODE> logs into his VDI session <CODE>VDI-XXXX</CODE> at 9am, then opens up application, <CODE>sample_app</CODE>, and logs in as <CODE>user</CODE>=<CODE>admin</CODE>. How do I bring the two events into one transaction? In this case, assume that we have the application account name only, <CODE>admin</CODE> and that the vdi <CODE>user</CODE> name can change.</P> <P>I can track general logons as follows as a catchall:</P> <PRE><CODE>index="*" user="*" "*logged*" </CODE></PRE> <P>I've attempted to use a subsearch to narrow it down to just the application usage and hopefully the vdi session that led to the application logon but those searches come back blank.</P> <P>Sample searches tried:</P> <PRE><CODE>index=* user=* "*logged*" [search sourcetype=sample_app user=admin "*logged*" | fields + user, computer, event] | table _time, user, computer, event | sort _time </CODE></PRE> Fri, 16 Jun 2017 14:24:15 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356206#M105425 scc00 2017-06-16T14:24:15Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356207#M105426 <P>You are going to have to show some sample events.</P> Fri, 16 Jun 2017 14:36:18 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356207#M105426 woodcock 2017-06-16T14:36:18Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356208#M105427 <P>In addition to showing some sample events, it might also be useful to know which VDI system you are using in case there's some additional or different logs you can enable that will tell you this information directly.</P> Sun, 18 Jun 2017 17:04:26 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356208#M105427 Richfez 2017-06-18T17:04:26Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356209#M105428 <P>Samples events are below: </P> <P>VDI logon events:<BR /> "An account was successfully logged on.</P> <PRE><CODE>Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: LB\DEV1$ Account Name: DEV1$ Account Domain: LB Logon ID: 0x894B5E95 Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3} Process Information: Process ID: 0x0 Process Name: -" </CODE></PRE> <P>Application logon sample: (these differ per application) - Use of the root account in linux</P> <PRE><CODE>"su: pam_unix(su-l session): session opened for user root by (uid-=0)" </CODE></PRE> <P>For VDI type: <CODE>VMWare</CODE> (unsure which version though). </P> Mon, 19 Jun 2017 12:36:19 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356209#M105428 scc00 2017-06-19T12:36:19Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356210#M105429 <P>Samples events are below:</P> <P>VDI logon events:<BR /> "An account was successfully logged on.</P> <P>Subject:<BR /> Security ID: NULL SID<BR /> Account Name: -<BR /> Account Domain: -<BR /> Logon ID: 0x0<BR /> Logon Type: 3</P> <P>Impersonation Level: Impersonation</P> <P>New Logon:<BR /> Security ID: LB\DEV1$<BR /> Account Name: DEV1$<BR /> Account Domain: LB<BR /> Logon ID: 0x894B5E95<BR /> Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}</P> <P>Process Information:<BR /> Process ID: 0x0<BR /> Process Name: -"</P> <P>Application logon sample: (these differ per application) - Use of the root account in linux<BR /> "su: pam_unix(su-l session): session opened for user root by (uid-=0)"</P> Tue, 20 Jun 2017 19:08:40 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356210#M105429 scc00 2017-06-20T19:08:40Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356211#M105430 <P>Index=internal sourcetyp=* | stats count by clientip,user</P> Sun, 02 Jul 2017 17:52:21 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356211#M105430 puneethgowda 2017-07-02T17:52:21Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356212#M105431 <P>Did I reformat your text correctly? You have neglected to show <CODE>_time</CODE> which is really the key here. How close together are these events in time (or should I say "at worst, how far apart are the matching events from eachother in tme")? And is it always 1-to-1 for pairing?</P> Mon, 03 Jul 2017 14:33:12 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356212#M105431 woodcock 2017-07-03T14:33:12Z https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356213#M105432 <P>So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application. </P> <P><CODE>|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user</CODE></P> <P>Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?</P> Mon, 24 Jul 2017 19:20:25 GMT https://community.splunk.com/t5/Splunk-Search/Tracking-User-Activity-Across-applications-without-matching/m-p/356213#M105432 scc00 2017-07-24T19:20:25Z