Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to write a query to to report on all last logon times for users that logged into any linux in our environment. What am I doing wrong?

dylan_yoder
New Member
‎03-07-2016 01:06 PM

The query I wrote doesn't seem to work as expected. The time stamp is missing under the logon_time column next to the corresponding listed users and the users in the user column show many duplicate occurrences (example: 20+ root logons) instead of a single entry of the last logon of that account on that specific host.

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats list(user) as User, list(ruser) as "Remote User", list(latest(eval(if(action==success,_time, null())))) as logon_time by host
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
0 Karma
Reply

somesoni2
Revered Legend
‎03-07-2016 02:24 PM

Try like this

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action==success,_time, null()) | stats values(logon_time ) as logon_time by host user ruser | eval logon_time=mvindex(logon_time,-1)  | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) | stats list(user) as User, list(ruser) as "Remote User", list(logon_time) as logon_time by host

Update

This should give you latest logon for each (unique) user per host.

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action==success,_time, null()) | stats latest(logon_time) as logon_time by host user ruser | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)

If you want to group users and their corresponding logon time based on host, then you can add following to above search

| stats list(*) as * by host
0 Karma
Reply

dylan_yoder
New Member
‎03-09-2016 07:57 AM

I ended up using the following queries to get the desired results

sourcetype=linux_secure user=* ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats latest(eval(if(vendor_action="session opened",_time, null()))) as logon_time by host user
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
| stats list(user) as user, list(logon_time) as logon_time by host

OR

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action="success",_time, null()) | stats latest(logon_time) as logon_time by host user  | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) |  stats list(*) as * by host | sort -logon_time

Both seemed to work.

0 Karma
Reply

dylan_yoder
New Member
‎03-08-2016 06:10 AM

That didn't seem to work for me unfortunately. Nothing resolved at all. I need it to show the latest/most recent logon event for the individual/unique user listed by Linux host.

0 Karma
Reply

dylan_yoder
New Member
‎03-09-2016 07:54 AM

Thanks that helped!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...