Getting Data In

How can I identify login and logoff times for users using Windows Security Event-IDs 4624 and 4634?

Aufex
New Member

Hello,
I want to identify the login and logouts for each user on a server.
I use the event_id 4624 (logon) and 4634(logoff). the problem is that Windows generates multiple events for only one login/logoff.
It seems that they share the same login_id.
so I try something like:

host="server a" user="allice" (EventCode=4624 OR EventCode=4624 )

now I need something like:

| where login_id= login_id

So that I get only 2 events for one login/logoff , but for all users and over time 🙂

Thanks for reading.

0 Karma

nickhills
Ultra Champion

Are you sure your not seeing multiple events for logintype3 or logintype4 which are network or service logons - its quite conceivable you would see lots of these during login (and use) as you system downloads profiles/maps drives etc.

If you restrict your search to LoginType2 (interactive) you may have more concise results.
I am not near Splunk at the moment, so this may not work off the hop, but this might get you closer.

((EventCode=4624 (Logon_Type=2 OR login_Type=7 OR Login_Type=10)) OR (EventCode=4634 OR EventCode=4647) )|transaction user, host startswith="EventCode=4624"

edited to include loging type7 (unlock) and 10 (remote desktop)

If my comment helps, please give it a thumbs up!
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @Aufex,

Can you please try this?

    host="server a" user="allice" (EventCode=4624 OR EventCode=4634)  | dedup EventCode,user

EDIT: If above query works then remove user="allice" from above query so it will give you result for all users who login/logoff in server a

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.