Getting Data In

How to identify user activities login / logout (reason to logout)?

godaba
Observer

Hi Team,

I am a learner, so want to know about identifying the session login / logout time periods of an users and reasons for the activities.

 

Labels (1)
Tags (1)
0 Karma

godaba
Observer

I am a learner to Splunk, as an initial requirement, just want to monitor the User's from windows ( AD Users ), when they logged in / activity performed by them / logout reason etc..Please guide if need more inputs on this. Possible to view the reports from GUI?

0 Karma

gcusello
Legend

Hi @godaba,

as I said, you need at first to take and parse logs from Windows servers.

You can do this deploying to your Domain Controllers the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/).

Before deploying it, you have to enable the inputs, you need, for this Use Case at least wineventlog:security.

I suppose that you already installed and configured your Universal Forwarders to send data to Splunk Enterprise.

In this way, you have logs for searching.

So you can run a simple search like this following:

index=wineventlog EventCode IN ("4624","4525","4634")
| stats count BY EventCode

In this way you have the login, logout and logfail logs.

Ciao.

Giuseppe

0 Karma

godaba
Observer

Thanks for assistance Giuseppe, to get on hand. 

So GUI is not possible for my requirement right,  as suggested by you, I will follow the videos to get more.

Could you please help me in better understanding of this command below.

index=wineventlog EventCode IN ("4624","4525","4634")

 

 

 

0 Karma

gcusello
Legend

Hi @godaba,

it's the same thing to use:

index=wineventlog (EventCode=4624 OR EventCode=4525 OR EventCode=4634)

Ciao.,

Giuseppe

0 Karma

gcusello
Legend

Hi @godaba,

Anyway, your question is just a little vague because depends on what technologies you have as inputs, what's the purpose of your analysis, and what's your knowledge of Splunk.

In other words:

  • at first you have to list all the technologies that you have as inputs (e.f. windows, linux, Cisco ASA, etc...),
  • then you have to identify the rules for each source (e.g. win login is EventCode=4624, win logfail is EventCode=4625, etc...),
  • then you have to create an eventtype for each condition and associate to it a tag (e.g.: LOGIN, LOGOUT, LOGFAIL),
  • then you can run a search on these tags using SPL.

These aren't jobs to do via GUI, for this reason I ask you: what's you knowledge of Splunk getting data in and Splunk language (SPL)?

You need both of them.

You can find many videos about getting data in on Splunk YouTube Channel and the tutorial for SPL at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Start with the data

Do you have it already ingested into Splunk?

Do you understand the data?

Can you write a search to find speed up interpretation of the data?

How do you want to represent the information you have obtained by analysing the data?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...