topic Re: How to deal with Logon/Logoff scatterd over multiple events in Splunk Search

How to deal with Logon/Logoff scatterd over multiple events

jroedel — Thu, 10 Oct 2024 11:49:39 GMT

I have onboarded data from a system, that scatters actual events over many logging events. Especially successful or failed logins cause me some headache.

Successful login:
<timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server 
<timestamp> User 'johndoe' logged on (Connection id='id123') 
[ Time passes until John eventually decides to logoff again]
 <timestamp> Connection 'id123' from has logged off the server

Failed login:
<timestamp> Connection 'id123' from '192.168.1.100' has logged onto the server 
<timestamp> Connection 'id123' from has logged off the server

Of course, I can fiddle around with transaction or even stats or whatever to list successful and failed logins or create an alert for it. However that is absolutely not elegant.

What is best practice, to get those data nicely streamlined with eventtypes and tags?

Re: How to deal with Logon/Logoff scatterd over multiple events

gcusello — Thu, 10 Oct 2024 11:56:41 GMT

Hi @jroedel ,

you can create an eventtype for login and one for logout, tagging these eventtypes with a related tag,

so you can use then in your searches.

but what's your requirement?

what do you need to receive as result?

Ciao.

Giuseppe

Re: How to deal with Logon/Logoff scatterd over multiple events

jroedel — Thu, 10 Oct 2024 13:00:07 GMT

Maybe I just do not see it: How would I apply an event type for a successfull login event, that is scattered over multiple log entries?

My requirement is, to achieve cim-comliance with this data source.

Re: How to deal with Logon/Logoff scatterd over multiple events

gcusello — Thu, 10 Oct 2024 13:04:24 GMT

Hi @jroedel ,

ok, you have to create eventtypes and add to login, logout and logfail eventtypes the tag "authentication.

You should try to use the Add-On Builder app (https://splunkbase.splunk.com/app/2962) or the CIM-Vladiator app (https://splunkbase.splunk.com/app/2968) that helps you in field aliases, calculated fields and tagging.

I usually use the second one.

Ciao.

Giuseppe

Re: How to deal with Logon/Logoff scatterd over multiple events

jroedel — Thu, 10 Oct 2024 13:11:33 GMT

Lets for now focus on a *successful* login. As shown in my initial post, there are multiple events for the same successfull login. One does carry the username, the other carries the source ip.

On which one should I set the event type and tag? And how do I enrich that event with the field from the other one?

Re: How to deal with Logon/Logoff scatterd over multiple events

gcusello — Thu, 10 Oct 2024 13:27:05 GMT

Hi @jroedel ,

eventtype and tag aren't related to the fields:

you have to create at first an eventtype for the login, called e.g. "my_technology_login":

index=my_index sourcetype=my_sourcetype ("has logged onto the server" OR "logged on"

and tag it as "Authentication" required BY CIM and "LOGIN".

then

index=my_index sourcetype=my_sourcetype (logoff OR "has logged off the server")

and tag it as "Authentication" required BY CIM and "LOGOUT".

The last sample doesn't seems to be a logfail event, please check it and apply as the others.

Then you have to extract fields: user and src using regexes.

Ciao.

Giuseppe

Re: How to deal with Logon/Logoff scatterd over multiple events

PickleRick — Thu, 10 Oct 2024 21:02:48 GMT

Event type cannot "merge" multiple events. As simple as that. So either process your data prior to ingesting so that you have a whole login event containing all interesting fields or do summary indexing and create synthetic events after ingesting original events.

Re: How to deal with Logon/Logoff scatterd over multiple events

jroedel — Fri, 11 Oct 2024 09:33:59 GMT

Thanks for clearifying, @PickleRick . So what would be the best practice for creating such synthetic events? A scheduled search every 5 (or so) Minutes? If yes, how to deal with:

- SH-Downtimes
- logins where only one of both needed events for a successful login is in the search time range, and the other is in the search time range of the previous run of the scheduled search

Re: How to deal with Logon/Logoff scatterd over multiple events

PickleRick — Fri, 11 Oct 2024 10:14:42 GMT

1. To deal with possible outages you schedule it with continuous schedule - that means that your search will be scheduled for each continuous time period. See

https://docs.splunk.com/Documentation/Splunk/latest/Report/Configurethepriorityofscheduledreports#Change_the_report_scheduling_mode_to_prioritize_completeness_of_data_over_recency_of_data

2. For this you'd typically use longer search window (and typically you'd want to search with a slight (maybe not; depending on your data) delay to account for data ingestion latency). But as with any search (not just summary-building one), if you have some data outside of your search-range you won't find it 🙂