Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to identify user activities login / logout (reason to logout)?

godaba
Observer
‎07-05-2022 12:52 PM

Hi Team,

I am a learner, so want to know about identifying the session login / logout time periods of an users and reasons for the activities.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

godaba
Observer
‎07-06-2022 12:24 AM

I am a learner to Splunk, as an initial requirement, just want to monitor the User's from windows ( AD Users ), when they logged in / activity performed by them / logout reason etc..Please guide if need more inputs on this. Possible to view the reports from GUI?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2022 12:48 AM

Hi @godaba,

as I said, you need at first to take and parse logs from Windows servers.

You can do this deploying to your Domain Controllers the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/).

Before deploying it, you have to enable the inputs, you need, for this Use Case at least wineventlog:security.

I suppose that you already installed and configured your Universal Forwarders to send data to Splunk Enterprise.

In this way, you have logs for searching.

So you can run a simple search like this following:

index=wineventlog EventCode IN ("4624","4525","4634")
| stats count BY EventCode

In this way you have the login, logout and logfail logs.

Ciao.

Giuseppe

0 Karma
Reply

godaba
Observer
‎07-06-2022 04:55 AM

Thanks for assistance Giuseppe, to get on hand. 

So GUI is not possible for my requirement right,  as suggested by you, I will follow the videos to get more.

Could you please help me in better understanding of this command below.

index=wineventlog EventCode IN ("4624","4525","4634")

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2022 05:19 AM

Hi @godaba,

it's the same thing to use:

index=wineventlog (EventCode=4624 OR EventCode=4525 OR EventCode=4634)

Ciao.,

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2022 11:46 PM

Hi @godaba,

Anyway, your question is just a little vague because depends on what technologies you have as inputs, what's the purpose of your analysis, and what's your knowledge of Splunk.

In other words:

  • at first you have to list all the technologies that you have as inputs (e.f. windows, linux, Cisco ASA, etc...),
  • then you have to identify the rules for each source (e.g. win login is EventCode=4624, win logfail is EventCode=4625, etc...),
  • then you have to create an eventtype for each condition and associate to it a tag (e.g.: LOGIN, LOGOUT, LOGFAIL),
  • then you can run a search on these tags using SPL.

These aren't jobs to do via GUI, for this reason I ask you: what's you knowledge of Splunk getting data in and Splunk language (SPL)?

You need both of them.

You can find many videos about getting data in on Splunk YouTube Channel and the tutorial for SPL at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2022 10:42 PM

Start with the data

Do you have it already ingested into Splunk?

Do you understand the data?

Can you write a search to find speed up interpretation of the data?

How do you want to represent the information you have obtained by analysing the data?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...