I was using the following question/answer:
How can I use windows events to monitor logon sessions
https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.htm...
But I need to create a report that lists Logon time, Logoff time, and Duration by User and Computer. Do you know how to alter this search string to achieve this?
Thank you.
I can only speak for myself: I never got this work satisfactorily 100% of the time.
Not only did logoff times sometimes report incorrectly (as the same as logon), but also different people's logins would often overlap and mess up the calculations.
In the end, I think we went with another solution besides splunk (I'm not certain because the project was handed off to someone else).
Try this
source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=Logontime+duration
| convert ctime(_time) as Logontime
| convert ctime(Logofftime) as Logofftime
| eval Duration=round((duration/60), 0)
| table Logontime, Logofftime, and Duration User Computer
| sort User Computer
I too cannot get this to work for me. It creates a table with the users and Logontimes, but the Logofftime is always blank and duration always equals zero. I've been tinkering with it all day but cannot get it to fully work. It seems so close though!
I feel like the way it is defining duration and Logofftime is cyclical and self-referential...
To be specific, I am needing to tracking logon/logoff times for a specific workstation. I've installed the Splunk forwarder and configured it to forward the Security log to our index. Here is the code I am using:
index=MyIndex host="MyMachineName" sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=*
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)| search NOT (User=*$ OR User=system)
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=Logontime+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval Duration=round((duration/60), 0)
| table Logontime, Logofftime, and Duration User host
| sort User host
And as a result, I'm getting a table which has:
Logontime column with a series of logon times
Logofftime column which is always blank
Duration column which is filled with zeros
User column which has a list of users (one for each logontime)
host column which has the machine name repeated (this is here because eventually I want to monitor five machines total)
it seems so close... if I could just get it to fill in the logoff and duration columns, my boss would be so happy. But I can't seem to figure it out any further than this... can anyone provide assistance? Thanks.
The search is referencing Logontime before it is being defined.
This
| eval Logofftime=Logontime+duration
should be
| eval Logofftime=_time+duration
Hope this helps.
Thanks. Changing this has filled in the "Logofftime" column, but the logon and logoff times are the same. I think this is because duration still equals zero. Getting closer...
I saw both those that are 0 in length and others with longer times being displayed in my search
Hi guys, did anyone get this to display the proper logoff times? I'm running into the same dilemna where the logoff time is the same as the logon time.
Here is what I did to get it to work properly
index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table host, user, Logontime, Logofftime, duration
| sort user, host, -duration
| rename duration AS "Duration (seconds)"
Here is my contribution to this topic, since it now almost 2024.
index="wineventlog" source="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4647 Account_Name=* action=success ComputerName=* earliest=-1d@d latest=@d
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT User IN (*$, system)
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4647" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| eval Duration=round(duration/60/60, 2)
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table User ComputerName Logontime Logofftime Duration EventCode Logon_Type
| sort user, host, -Duration
| rename duration AS "Duration (hours)"
For my use case I was looking for interactive sessions or sessions initiated by the user. The log off event is 4647. The previous days events are being collected using the earliest and latest settings. I converted my time to hours with two decimal places. Lastly, I excluded the system account.
Thanks to all those who contributed to the previous solutions they were really helpful.
@GoneSplunking: Glad to hear this is working for you. However, this doesn't work for me. Still plugging away at this. Thanks though
I made a slight change for readability on my part. Does any part of the query work?
Hi,
How are you getting logontime field which was used in line 5. This is not working.