Getting Data In

Pulling logs from devices in my network, how can I create a table showing if and which users are logged in to these devices?

SecureIA
Path Finder

I am pulling logs from the devices in my network and I would like to know if it is possible for Splunk to show on a dashboard, whether or not a user is logged into it. Perhaps this can be displayed in the form of a table. For example it could list the name of every device and in another column show if/which user is currently logged in.

Any help would be massively appreciated.

0 Karma
1 Solution

sundareshr
Legend

Try this

Suppose this is your data

Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:42:07 OIEXTFW02 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[2650]: msg_id="3E00-0002" Management user lheath1@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:44:27 OIEXTFW02 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[2650]: msg_id="3E00-0004" Management user lheath1@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:43:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[3650]: msg_id="3E00-0002" Management user lheath2@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:46:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[4650]: msg_id="3E00-0004" Management user lheath3@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:48:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[5650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.

This is the regex to extract fields

\d{2}\s(?<device>[^\s]{9})\s.*\[(?<sid>[^\]]+).*user\s(?<user>[^\s]+).*logged\s(?<lstate>\w+)

Here's the SPL to display who's logged in where at this point in time.

... | sort user _time | chart latest(lstate) over user by device

View solution in original post

sundareshr
Legend

Try this

Suppose this is your data

Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:42:07 OIEXTFW02 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[2650]: msg_id="3E00-0002" Management user lheath1@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:44:27 OIEXTFW02 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[2650]: msg_id="3E00-0004" Management user lheath1@Firebox-DB from 10.19.84.100 logged out.
Dec 1 12:43:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[3650]: msg_id="3E00-0002" Management user lheath2@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:46:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[4650]: msg_id="3E00-0004" Management user lheath3@Firebox-DB from 10.19.84.100 logged in.
Dec 1 12:48:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[5650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.

This is the regex to extract fields

\d{2}\s(?<device>[^\s]{9})\s.*\[(?<sid>[^\]]+).*user\s(?<user>[^\s]+).*logged\s(?<lstate>\w+)

Here's the SPL to display who's logged in where at this point in time.

... | sort user _time | chart latest(lstate) over user by device

SecureIA
Path Finder

Thank you for your reply sundareshr.

My apologies, but how would I use these two commands together? Where would I put the regex? I haven't been using Splunk for long. My problem is that some of the other devices do not display login or authentication details in the same way.

0 Karma

SecureIA
Path Finder

With a bit more understanding, I achieved this Sir. Thank you so much!!!

0 Karma

sundareshr
Legend

Please share sample data from all relevant logs.

0 Karma

SecureIA
Path Finder

I have data that informs when a user has logged into a system and when they log out. I'll provide an example below:-

Dec 1 12:40:07 OIEXTFW01 Dec 1 12:38:12 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:12) sessiond[1650]: msg_id="3E00-0002" Management user lheath@Firebox-DB from 10.19.84.100 logged in.

Once this event occurs, I would love the table to say: OXIEXTFW01 - (user)

Until this kind of message occurs:-

Dec 1 12:40:27 OIEXTFW01 Dec 1 12:38:31 SECUREIA_EXT_FW 80BE0998EE212 (2015-12-01T12:38:31) sessiond[1650]: msg_id="3E00-0004" Management user lheath@Firebox-DB from 10.19.84.100 logged out.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...