topic Re: Show Only Logon Events in Splunk Search

Show Only Logon Events

vessev — Wed, 23 Nov 2016 10:23:39 GMT

I simply will audit our Administrators on which Systems they are logged on right now.

but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event.
The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's
I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.

first i tryed this way

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-*   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null()) 
| transaction fields="User" maxspan=-1
| eval Keep_Or_Not=if(LogonID_4624=LogonID_4634, "Keep", "Do_Not_Keep")
| search Keep_Or_Not="Do_Not_Keep"
| table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app 
| sort by User

then there was no success so i tried another query:

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())

I thank you

Re: Show Only Logon Events

sundareshr — Wed, 23 Nov 2016 14:23:06 GMT

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

Re: Show Only Logon Events

vessev — Tue, 29 Nov 2016 09:58:07 GMT

i will try that thank you for now 🙂

Re: Show Only Logon Events

vessev — Tue, 29 Sep 2020 11:56:51 GMT

i have found out that i can have a NOT search as subsearch. Here every Event is kicked out who has the logon id in EventCode 4634.
Its not a search query for Real Time searches but it kinda does its work.

Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT [search Account_Name=server-evermann EventCode=4634 | rename Logon_ID as logid | table logid] | table _time, logid, Source_Network_Address, host | sort - _time

The second problem is way worse, and that is something i found out through solving that problem.
A Logon Event on a DC is not like you think it is. Sometimes more than 4 Events are generated when logging on a System.
Which all have different Logon_ID's .. .a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done ...

Does anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. I dont think that it is nessesary to install a universal forwarder on every Server in my domain or use WMI (which is a lame piece of crap in my opinion) or is it?!