Alerting

How to create an alert based on syslog login and logout data?

vrmandadi
Builder

I want to create an alert based on syslog login and logout data.I want the alert to be triggered when a session is opened for but doesnt have a session closed for  a particular session id and if that session is opened for more than 8 hours compared to the time the splunk alert is scheduled.

 

For example if a session is opened by a user at 8AM and if he doesnt log off by 4PM which is more than 8 hrs than it needs to be alerted by giving the user session id 

 

Following are the sample data for  login and logoff sessions 

2022-05-21T20:00:02.048677-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session closed for user abc

 

2022-05-21T20:00:02.041845-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session opened for user abc by (uid=0)

Labels (2)
0 Karma

gcusello
Legend

Hi @vrmandadi,

please try something like this:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats 
     first(if(eval(type="open"),_time,"") AS earliest 
     latest(if(eval(type="close"),_time,"") AS latest
     dc(type) AS dc_type 
     values(type) AS type 
     BY user
| where dc_type=1 AND type="open"
| eval 
     earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S), 
     latest=strftime(latest,"%Y-%m-%d %H:%M:%S)
table user earliest latest

Ciao.

Giuseppe

0 Karma

vrmandadi
Builder

@gcusello 

 

I got the following error "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%m-%d %H:%M:%S)'."

 

I think there is an issue  starting from 
| where dc_type=1 AND type="open"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S)
| table session_user earliest latest

 

Also running the search without the where clause doesnt show any value for earliest and latest time.

 

session_user earliest latest dc_type type

abc  2
close
open
0 Karma

gcusello
Legend

Hi @vrmandadi,

sorry! the quotes in the evals and the pipe before table:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats 
     first(if(eval(type="open"),_time,"") AS earliest 
     latest(if(eval(type="close"),_time,"") AS latest
     dc(type) AS dc_type 
     values(type) AS type 
     BY user
| where dc_type=1 AND type="open"
| eval 
     earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), 
     latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table user earliest latest

 

0 Karma

vrmandadi
Builder

I still dont see the earliest and latest time...may be the strptime format needs to be changed..Below is the sample event.

 

2022-05-23T06:00:01.676861-07:00 login-1 CRON[114336]: pam_unix(cron:session): session closed for user abc

2022-05-23T06:00:01.670790-07:00 login-1 CRON[114336]: pam_unix(cron:session): session opened for user abc by (uid=0)

0 Karma

gcusello
Legend

Hi @vrmandadi,

no the strftime is only to format the output not to read because _time is in epochtime.

Could you share the search you're using?

Ciao.

Giuseppe

0 Karma

vrmandadi
Builder

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user
| where dc_type=2 AND type="close"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table session_user earliest latest

0 Karma

gcusello
Legend

Hi @vrmandadi,

debug your search starting from the end deleting one row at a time,

in other words: if you run

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")

have you both values for type?

what does it happen if you run

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user

?

Ciao.

Giuseppe

 

0 Karma

vrmandadi
Builder

Yes I did the line to line search and I see that when it comes to below..it doesnt show earliest and latest...it shows blank

| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...