Alerting
Highlighted

How to create an alert that triggers when a user successfully logs in to a specific host?

New Member

How would I create an alert that triggers when anyone logs in to a specific host? Or how do I configure an alert that triggers each time a specific user id logs on to any host?

Tags (4)
0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

Legend

What logs are you capturing?

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

New Member

Server logs, windows event security logs from AD.

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

Legend

This site has a pretty good collection of Splunk queries for Security logs. See if you find anything that you can use.

http://gosplunk.com/category/wineventlogsecurity/

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

New Member

That site has some really great content, but still nothing specific to my question. I can't see how to alert on successful logons to a specific hosts or all logons for a specific account to any host.

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

SplunkTrust
SplunkTrust

Hi JasonGY,

from the side above and a bit of modification you'll get this for successful login by users to specific host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon") 
| stats count by status, Account_Name, host

Or all login by specific user to any host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") 
| stats count by status, Account_Name, host

This is all un-tested, so modify it to your needs and save it as alert.

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

New Member

Mus - this is really great. The first one works very well. In the second one: I do not see where I can enter in criteria for a specific username to alert on. Please advise.

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

SplunkTrust
SplunkTrust

Just add the specific user name into the base search :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=* Account_Name=foo
 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)

cheers, MuS

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

New Member

That worked, thank you again!

0 Karma
Highlighted

Re: How to create an alert that triggers when a user successfully logs in to a specific host?

SplunkTrust
SplunkTrust

Great, please accept the answer in this case 😉

cheers, MuS

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.