Getting Data In

How can I identify login and logoff times for users using Windows Security Event-IDs 4624 and 4634?

Aufex
Explorer

Hello,
I want to identify the login and logouts for each user on a server.
I use the event_id 4624 (logon) and 4634(logoff). the problem is that Windows generates multiple events for only one login/logoff.
It seems that they share the same login_id.
so I try something like:

host="server a" user="allice" (EventCode=4624 OR EventCode=4624 )

now I need something like:

| where login_id= login_id

So that I get only 2 events for one login/logoff , but for all users and over time 🙂

Thanks for reading.

0 Karma

nickhills
Ultra Champion

Are you sure your not seeing multiple events for logintype3 or logintype4 which are network or service logons - its quite conceivable you would see lots of these during login (and use) as you system downloads profiles/maps drives etc.

If you restrict your search to LoginType2 (interactive) you may have more concise results.
I am not near Splunk at the moment, so this may not work off the hop, but this might get you closer.

((EventCode=4624 (Logon_Type=2 OR login_Type=7 OR Login_Type=10)) OR (EventCode=4634 OR EventCode=4647) )|transaction user, host startswith="EventCode=4624"

edited to include loging type7 (unlock) and 10 (remote desktop)

If my comment helps, please give it a thumbs up!
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @Aufex,

Can you please try this?

    host="server a" user="allice" (EventCode=4624 OR EventCode=4634)  | dedup EventCode,user

EDIT: If above query works then remove user="allice" from above query so it will give you result for all users who login/logoff in server a

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...