Hi there,
What I am trying to figure out is how I can search a Windows domain (Security logs?) to find out what users were logged in over night.
Currently installed: Splunk for ActiveDirectory, SA-ldapsearch, sideview utils, TA Windows and Universal Forwarders on our domain controllers/dns servers.
I thought I might be able to get this information out of the Splunk App. for Active Directory by default using the "User Utilization" pull-down, but I believe what that is showing me is users who logged in AT a certain time, not users who were logged in from x-time to y-time.
An example would be -
Come in tomorrow morning and run a search on last night's logs to see if anyone was logged in from say 8 PM to 4 AM.
Any ideas? Thanks!
You will not need any fancy apps for this search. A simple search will do.
This should get you started.
earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name
Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.
You will not need any fancy apps for this search. A simple search will do.
This should get you started.
earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name
Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.
The event codes are logon event codes, so they are recording logon events. There are types of logons for the various ways a user can 'logon' to a machine (interactive, network, service, etc... 9 total). You may be interested in only a few of those.
Finding users who are currently logged on is a tricky problem in Windows. See this answer for more details: http://answers.splunk.com/answers/43122/determine-users-on-the-same-server-within-a-time-window
I don't really like the solution they came up with, so I think you might want to create a new question for that.
Thanks for the quick reply, it worked for me! I added some NOT operators to get rid of machine accounts and anonymous stuff.
I'll have to work on the output a little bit to make it cleaner, i.e.: giving me a total count for each Account_Name so I don't see each one multiple times.
Also, I'm still not sure - this is showing me users who LOGGED IN during that specific time, right? What about users who LOGGED IN BEFORE and stayed logged in throughout the night? I'm guessing that I need to better understand how my Windows logs could be inspected to see logins without a corresponding logout...
Let me know if you have any problems. There are a billion things you can do with simple searches.
Great thanks, I figured a search would do it, I'm just a noob to this whole thing. Looking forward to giving this a go. Thanks
Not at work so I can't verify, but I believe we are using the default index setup with the Active Directory App. which is the "main" index, for WinEventLog-Security in eventtypes.conf.
All the other AD related stuff I think goes into the "msad" index.
As far as event id associated with log on, I believe it is 4624 or 4648.
what index are you storing your DC Security Event Logs? Also do you know what the event id associated with the a log on event is?