Dashboards & Visualizations

How to generate a real-time dashboard that shows a list of currently logged in users on a server?

nickbijmoer
Path Finder

Hey guys,

I want a list of currently logged in users of a specific server.
And when that person loggs off, I want him to be removed off that list.
So basically a real time dashboard with logged in people on a server.
Is this possible?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

gcusello
Legend

Hi nickbijmoer,
using Windows isn't so easy find the current logged in users (Linux is easier!)!
Every way I solved the problem with a little script running on the forwarders:

@echo off
REM --------------------------------------
REM Controllo delle sessioni utente attive
REM --------------------------------------

REM Get event date and time
set date_time=%date% %time%

REM Print the event date and time, this will be the event timestamp
echo Current time: %date_time%

REM print the current user session
query user

This script, is sited in the bin directory of a Technology Add-On distributed on all the Windows machines and sends to Splunk (via Forwarder) an event with timestamp and some information about the current logged users (username, sessionname, id, status, lastaccess).
I run this script every 5 minutes.
If you have old machines (like XP) this script doesn't run and you have to use a different command (qwinsta) in your script.

Bye.
Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Not knowing exact what your data looks like, I can only give a generic answer.

index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"

This collects all login and logout events for the last eight hours. The dedup command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

nickbijmoer
Path Finder

Cool, thanks 🙂 How can I make this real-time?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't want to do that. Real-time searches waste resources. Scheduling the search to run every 5 minutes should be sufficient.

---
If this reply helps you, an upvote would be appreciated.

nickbijmoer
Path Finder

Ahh yeah thats right! thanks for the tip! 🙂

0 Karma

treinke
SplunkTrust
SplunkTrust

You are going to be looking at multiple Windows events to handle this. There is also an issue in Windows that if someone disconnects and doesn't logout. Below is a great resource on the Window Events around login/logout.

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/64

There are no answer without questions
0 Karma

treinke
SplunkTrust
SplunkTrust

Windows or Linux?

There are no answer without questions
0 Karma

nickbijmoer
Path Finder

windows server

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!