Solved: Re: How to monitor admin users logged on/authentic...

lakshman239 · ‎09-05-2016

I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication.

index=main (eventtype=logon_activity OR eventtype=wineventlog_security OR eventtype=wineventlog_system)

In windows logs, I can use Logon_id to track sessions, but need to find out the age/delta time which is more than 30mins.

Any suggestions/thoughts? Thanks in advance.

sundareshr · ‎09-05-2016

Try this

base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800

View solution in original post

sundareshr · ‎09-05-2016

Try this

base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800

lakshman239 · ‎09-07-2016

I have a slightly different problem now.. trying to find no session activities in unix/linux using /var/log/secure and nix add-on. I have tried a few options using stats/eventstats/streamstats, but running into issue, as i don't have a common field...

https://answers.splunk.com/answers/448591/statseventstats-how-to-track-open-session-when-clo.html

lakshman239 · ‎09-06-2016

Thanks Sundaresh. That helps

How to monitor admin users logged on/authenticated but no session activities for 30mins

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash