Good morning.
I am trying to create an e-mailed alert for when specific user accounts attempt a remote(logon_type=10) or interactive (logon_type=2) attempt to log in to specific servers( tag=taggedservers)
My search returns a number of results for the last 24 hours (set) but I would like to receive an e-mailed alert each time a new log in from one of the user accounts is attempted.
The lookup referred to is to show logon_type description in tabled results.
This is my search syntax:
tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=adminuser1 OR user=adminuser2 OR user=adminuser3 OR user=adminuser4) ((Logon_Type=2 OR Logon_Type=10)) | lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc
How do I create an alert without using realtime selection, each time one of the admin users attempts connections to my tagged servers? If you have any suggestions for improvements to the search then I would be grateful to hear.
Any help would be appreciated.
Thanks,
Rob.
i am not sure of this requirement, but i assume, you wanted email notifications related to this search.
you can save this search query as an alert (a scheduled alert), setup a cron schedule for how frequent this query should run, then you can enable an email alert, when the search query returns the expected results.
Create scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification
Update -
Sorted. Changed search to earliest=-15m@m and then scheduled a cron job to run every 15 minutes and alert if stats count > 0.
i am not sure of this requirement, but i assume, you wanted email notifications related to this search.
you can save this search query as an alert (a scheduled alert), setup a cron schedule for how frequent this query should run, then you can enable an email alert, when the search query returns the expected results.
Create scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification
Update -
Sorted. Changed search to earliest=-15m@m and then scheduled a cron job to run every 15 minutes and alert if stats count > 0.
Thanks for you response. My issue is that I do not want this to run at scheduled set time periods but rather a 'live' response. Due to the secure nature of the servers in question, I need to be alerted immediately when one of these accounts attempts connection. Thanks, Rob.
ok then, you can choose real-time alerts -
Use a real-time alert to monitor events or event patterns as they happen. You can create real-time alerts with per-result triggering or rolling time window triggering. Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.
Create a real-time alert with per-result triggering
Real-time alerts with per-result triggering are sometimes known as "per-result alerts". This alert type and triggering use a continuous real-time search to look for events. Each search result triggers the alert.
Caution: In a high availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. It is recommended to use a scheduled alert for this deployment.
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/DefineRealTimeAlerts
Thank you. I did also try this but seemed to be immediately flooded with historical event alerts rather than new alerts from new log ins. I'll give it a read through and see if I missed something.
I do appreciate your assistance with this.
Cheers.
if you want this to work only for new events, then, maybe, you can add earliest and latest fields -
for example - earliest=-5m@m latest=now
tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=adminuser1 OR user=adminuser2 OR user=adminuser3 OR user=adminuser4) ((Logon_Type=2 OR Logon_Type=10)) earliest=-5m@m latest=now
| lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc
Sorted. Changed search to earliest=-15m@m and then scheduled a cron job to run every 15 minutes and alert if stats count > 0.
Thank you very much for your help with this.
Great.. can you please mark this as accepted answer, and few upvotes 😉
Done 🙂 🙂