Hey guys,
I want a list of currently logged in users of a specific server.
And when that person loggs off, I want him to be removed off that list.
So basically a real time dashboard with logged in people on a server.
Is this possible?
Not knowing exact what your data looks like, I can only give a generic answer.
index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"
This collects all login and logout events for the last eight hours. The dedup
command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where
command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.
Hi nickbijmoer,
using Windows isn't so easy find the current logged in users (Linux is easier!)!
Every way I solved the problem with a little script running on the forwarders:
@echo off
REM --------------------------------------
REM Controllo delle sessioni utente attive
REM --------------------------------------
REM Get event date and time
set date_time=%date% %time%
REM Print the event date and time, this will be the event timestamp
echo Current time: %date_time%
REM print the current user session
query user
This script, is sited in the bin directory of a Technology Add-On distributed on all the Windows machines and sends to Splunk (via Forwarder) an event with timestamp and some information about the current logged users (username, sessionname, id, status, lastaccess).
I run this script every 5 minutes.
If you have old machines (like XP) this script doesn't run and you have to use a different command (qwinsta
) in your script.
Bye.
Giuseppe
Not knowing exact what your data looks like, I can only give a generic answer.
index=foo (event=LOGIN OR event=LOGOUT) server=bar earliest=-8h| dedup username| where event=LOGIN | rename _time as "Login time" | table username "Login time"
This collects all login and logout events for the last eight hours. The dedup
command keeps only the most recent event for each user (either LOGIN or LOGOUT) and the where
command throws away the LOGOUT events so all that's left is log in events. You'll need to set the field names and values to match your world, of course.
Cool, thanks 🙂 How can I make this real-time?
You don't want to do that. Real-time searches waste resources. Scheduling the search to run every 5 minutes should be sufficient.
Ahh yeah thats right! thanks for the tip! 🙂
You are going to be looking at multiple Windows events to handle this. There is also an issue in Windows that if someone disconnects and doesn't logout. Below is a great resource on the Window Events around login/logout.
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/64
Windows or Linux?
windows server