What is the query to setup a report to log all activity from a user? Basically anytime they access the VPN and log into the Network, and all activity they are doing.
No, I meant apps as in splunk apps - see https://splunkbase.splunk.com/
Without proper data onboarding (most importantly, assigning proper metadata so that each type of data gets ingested as proper sourcetype) all you might have is just a sack with non-understandable strings.
It's not a Splunk area question. It's the question to your infrastructure team how much info and with what tools they can pull from the equipment. When you know what you can get, you can start thinking how to ingest it to Splunk.
you question is too generic:
which technology are you speaking of?
which Add- did you used to take logs?
in other words. which fields have you available?
you should have something like this, but it depends on all the above questions:
index=your_index> | chart count OVER User BY action
I am using Splunk Enterprise.
All of our systems send audit data to a central log server, from there we use Splunk to query data, which helps us setup reports, alerts, etc.
I'm not sure I understand your question on, "which add- did you used to take logs?"
Is this something that is found on the Splunk Enterprise platform.
you spoke of VPN user activity, which VPN technology are you using?
because I suppose that you want to monitor the accesses using this technology!
how do you take the logs from this technology?
usually to take a Data Source is used an Add-On which one are you using?
I understand that you use Splunk Enterprise, but I need to understand how the technology you are using is sending logs to Splunk.
Do you know how Splunk works to getting data in? if not, read at https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain
If I understand your question:
We have a .conf file on devices that is configured to forward data in specific file paths, to our central log server.
your description is still too poor:
have you a Splunk Universal Forwarder installed on the target machine?
which conf file are you using? I suppose inputs.conf.
the conf file is in an App? if yes, which one?
As I said, read the Splunk documentation I hinted to understad how Splunk works.
Anyway, you didn't answered to the main question: which technlogy have you to monitor (VPN)?
Well, let me rephrase. How would I query a user to see all the data at:
/var/log/syslog or /var/log/messages
/var/log/auth.log or /var/log/secure
It would depend on what kind of events you have there and how they are parsed.
How are you ingesting those files? And what apps are you using to parse the data from those logs?
We use SolarWinds for Windows and Splunk for Linux. Both configured to send audit logs to a central log server. We also use Zabbix