All Apps and Add-ons
Highlighted

stats/eventstats - how to track open session when closed session entry doesnot have user id

SplunkTrust
SplunkTrust

I have the following logs from my Linux /var/log/secure

15/03/2016 10:30:20 server1 session opened for user root by joe
...
15/03/2016 10:40:20 server1 session closed for user root

...
15/03/2016 10:50:25 server1 session opened for user root by dany

If we don't see any 'session closed for user root' for more than 30mins, we want to alert operations team. As 'session closed for user root' doesn't have 'joe' or 'dany', using evenstats ..... by 'user' doesn't count the closed session.

I want to be able to find out no.of open and closed session and alert providing, _time, host name, and user whose session is open for more than 30mins without any actions/activities on the server.

Any thoughts/suggestions please.

Highlighted

Re: stats/eventstats - how to track open session when closed session entry doesnot have user id

Legend

Try one of these

... | rex "(?<action>opened|closed)" | reverse | streamstats count as grp by action | stats values(action) as action latest(_time) as end earliest(_time) as start by grp | where mvcount(action)<2 OR end-start>1800

OR

... | transaction server startswith=opened endswith=closed max_span=1800  keepevicted=t | where closed_txn=0

instead of max_span=1800, you could also try max_events=2

Highlighted

Re: stats/eventstats - how to track open session when closed session entry doesnot have user id

SplunkTrust
SplunkTrust

Thanks Sundaresh, that helps.. Thinking aloud, after the user su as root, if he/she continuously work on some activities using root account, the session will be active, even after 30mins and we may not get 'closed'. So, in this case, we shouldn't send out an alert, as the session is still active....

any thoughts?

0 Karma
Highlighted

Re: stats/eventstats - how to track open session when closed session entry doesnot have user id

Legend

In the first query, you can add values(user) and where NOT (user="su") to filter those out. In the second search, | where NOT mvfind(user, "su") (or something like that)

0 Karma