Getting Data In

How to monitor user activity (logon and logoff)

gntavelis
New Member

Hello,

Excuse my lack of expertise with Splunk. Could you please let me know how i can track when a specific user logon and logoff from the computer? I am using a universal forwarder to the dc only for the security logs. I can see that i have inside splunk server a lot of events. So it must be working.

Thank you

0 Karma

to4kawa
Ultra Champion

how about security essentials?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gntavelis,
if you have DC logs, surely you have the following EventCodes that are related to Login, Logout and LogFail:
Login 4624, logFail 4625, LogOut 4634.
So you can search something like this:

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634
| table _time user EventCode EventCodeDescription

Ciao.
Giuseppe

0 Karma

gntavelis
New Member

Problems...

I am using the trial (free) version of splunk and due to the number of events i think i violated the license.
Is there a way to forward specific events from the domain controller to splunk? Maybe by using a subscription on the event viewer? Now i am using splunk universal forwarder that is installed on the domain controller and i do have the option to select only the security logs but i dont have the option to select specific events....

Please help
Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gntavelis,
you can filter events in the Universal Forwarder.
In inputs.con on the Domain Controller:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = EventCode\=4624|4634|4625
index = wineventlog
renderXml=false

Ciao.
Giuseppe

0 Karma

gntavelis
New Member

Hello Giuseppe! Thank you for your answer...

I searched inside the splunk universal forwarder directory and there is a directory with name input and lets say 6 or 7 inputs.conf files. could you please tell me which conf file i have to edit?

image: https://imgur.com/XynPDRa

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gntavelis,
inputs.conf usually is in $SPLUNK_HOME/etc/apps/your_TA/local
probably, the TA's name is TA_Windows, so open your $SPLUNK_HOME/etc/apps/TA_Windows/local/inputs.conf;
you should find the stanza [WinEventLog://Security];
in this stanza add the whitelist = EventCode\=4624|4634|4625 row and restart Splunk.

If you have many Universal Forwarder, probably you're managing them using a Deployment Server, in this case, you have to modify the TA_Windows on Deployment Server, not directly on Universal Forwarders.

Ciao.
Giuseppe

0 Karma

gntavelis
New Member

Giuseppe thank you very much for your reply.

Where i must copy paste the SPL statement? On the search box?
if yes i am getting the following errors:

Error in 'search' command: Unable to parse the search: unbalanced parentheses.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gntavelis,
Sorry! I forgot the second parenthesis!

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
| table _time user EventCode EventCodeDescription

Then you can save this search in a report or in a dashboard panel.

Only one attention: in Windows an access to the system generates many login events, so this could seem that your user accessed the system many times more than the reality, you should filter events dedupping the events for _time user and host.

Ciao.
Giuseppe

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi gntavelis,

try this on your search head:

index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
 | table _time user EventCode EventCodeDescription

the original post was missing a ) in the SPL.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...