Getting Data In

Report to monitor logon/logoff time and duration on Windows

ejwade
Contributor

I was using the following question/answer:

How can I use windows events to monitor logon sessions
https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.htm...

But I need to create a report that lists Logon time, Logoff time, and Duration by User and Computer. Do you know how to alter this search string to achieve this?

Thank you.

0 Karma

caseynordell
Explorer

I can only speak for myself: I never got this work satisfactorily 100% of the time.
Not only did logoff times sometimes report incorrectly (as the same as logon), but also different people's logins would often overlap and mess up the calculations.
In the end, I think we went with another solution besides splunk (I'm not certain because the project was handed off to someone else).

0 Karma

sundareshr
Legend

Try this

 source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
 | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
 | eval User=lower(User)| search NOT User=*$
 | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
 | eval Logofftime=Logontime+duration
 | convert ctime(_time) as Logontime
 | convert ctime(Logofftime) as Logofftime
 | eval Duration=round((duration/60), 0) 
 | table Logontime, Logofftime, and Duration User Computer 
 | sort User Computer

caseynordell
Explorer

I too cannot get this to work for me. It creates a table with the users and Logontimes, but the Logofftime is always blank and duration always equals zero. I've been tinkering with it all day but cannot get it to fully work. It seems so close though!
I feel like the way it is defining duration and Logofftime is cyclical and self-referential...

0 Karma

caseynordell
Explorer

To be specific, I am needing to tracking logon/logoff times for a specific workstation. I've installed the Splunk forwarder and configured it to forward the Security log to our index. Here is the code I am using:

index=MyIndex host="MyMachineName" sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=*
  | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
  | eval User=lower(User)| search NOT (User=*$ OR User=system)
  | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
  | eval Logofftime=Logontime+duration
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
  | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
  | eval Duration=round((duration/60), 0) 
  | table Logontime, Logofftime, and Duration User host 
  | sort User host

And as a result, I'm getting a table which has:
Logontime column with a series of logon times
Logofftime column which is always blank
Duration column which is filled with zeros
User column which has a list of users (one for each logontime)
host column which has the machine name repeated (this is here because eventually I want to monitor five machines total)

it seems so close... if I could just get it to fill in the logoff and duration columns, my boss would be so happy. But I can't seem to figure it out any further than this... can anyone provide assistance? Thanks.

0 Karma

kenoski
Path Finder

The search is referencing Logontime before it is being defined.

This
| eval Logofftime=Logontime+duration

should be
| eval Logofftime=_time+duration

Hope this helps.

caseynordell
Explorer

Thanks. Changing this has filled in the "Logofftime" column, but the logon and logoff times are the same. I think this is because duration still equals zero. Getting closer...

0 Karma

kenoski
Path Finder

I saw both those that are 0 in length and others with longer times being displayed in my search

0 Karma

dharveynswccd
Path Finder

Hi guys, did anyone get this to display the proper logoff times? I'm running into the same dilemna where the logoff time is the same as the logon time.

0 Karma

GoneSplunking
Explorer

Here is what I did to get it to work properly
index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table host, user, Logontime, Logofftime, duration
| sort user, host, -duration
| rename duration AS "Duration (seconds)"

jason_hotchkiss
Communicator

Here is my contribution to this topic, since it now almost 2024.

index="wineventlog" source="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4647 Account_Name=* action=success ComputerName=* earliest=-1d@d latest=@d
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT User IN (*$, system)
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4647" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| eval Duration=round(duration/60/60, 2)
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| table User ComputerName Logontime Logofftime Duration EventCode Logon_Type
| sort user, host, -Duration
| rename duration AS "Duration (hours)"


For my use case I was looking for interactive sessions or sessions initiated by the user.  The log off event is 4647.  The previous days events are being collected using the earliest and latest settings.   I converted my time to hours with two decimal places.  Lastly, I excluded the system account.

Thanks to all those who contributed to the previous solutions they were really helpful.

0 Karma

dharvey32
New Member

@GoneSplunking: Glad to hear this is working for you. However, this doesn't work for me. Still plugging away at this. Thanks though

0 Karma

GoneSplunking
Explorer

I made a slight change for readability on my part. Does any part of the query work?

0 Karma

thambisetty_bal
Path Finder

Hi,
How are you getting logontime field which was used in line 5. This is not working.

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...