Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert that triggers when a user successfully logs in to a specific host?

JasonGY
New Member
‎05-23-2016 03:44 PM

How would I create an alert that triggers when anyone logs in to a specific host? Or how do I configure an alert that triggers each time a specific user id logs on to any host?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-23-2016 05:30 PM

Hi JasonGY,

from the side above and a bit of modification you'll get this for successful login by users to specific host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon") 
| stats count by status, Account_Name, host

Or all login by specific user to any host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") 
| stats count by status, Account_Name, host

This is all un-tested, so modify it to your needs and save it as alert.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-23-2016 05:30 PM

Hi JasonGY,

from the side above and a bit of modification you'll get this for successful login by users to specific host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon") 
| stats count by status, Account_Name, host

Or all login by specific user to any host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") 
| stats count by status, Account_Name, host

This is all un-tested, so modify it to your needs and save it as alert.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 05:56 PM

Mus - this is really great. The first one works very well. In the second one: I do not see where I can enter in criteria for a specific username to alert on. Please advise.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-23-2016 06:00 PM

Just add the specific user name into the base search :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=* Account_Name=foo
 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 06:59 PM

That worked, thank you again!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-23-2016 07:03 PM

Great, please accept the answer in this case 😉

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-23-2016 04:23 PM

What logs are you capturing?

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 04:40 PM

Server logs, windows event security logs from AD.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-23-2016 04:45 PM

This site has a pretty good collection of Splunk queries for Security logs. See if you find anything that you can use.

http://gosplunk.com/category/wineventlogsecurity/

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 04:50 PM

That site has some really great content, but still nothing specific to my question. I can't see how to alert on successful logons to a specific hosts or all logons for a specific account to any host.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...