- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
track all active session (RDP) in network by user
hello, I want to track all active session(RDP) in the network and see who login which server, what is the source IP address, and the sum of minutes of the active session
I use this code found in this forum with some tune but it doesn't cover all that I need, it is necessary I know how much time is session active
sry if my English not fluent
source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success NOT | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | eval User=lower(User) | search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | stats sum(duration) As Duration by User, ComputerName, Source_Network_Address | eval Duration(M)=round((Duration/60), 0) | table User,Source_Network_Address,Duration(M),ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is necessary I know how much time is session active
From the search you attached:
| eval Duration(M)=round((Duration/60), 0)
| table User,Source_Network_Address,Duration(M),ComputerName
The Duration here is being is the time between the login and logoff events associated with the session.
Although I believe there may be an issues:
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
If a user RDPs to multiple system,s, those session could be incorrectly connected as a transaction since you are only using the username as the criteria. I would change that to:
| transaction User, ComputerName maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you, it is useful
if I want to track active session too, what should do??? I mean the user does not log off cause we want to monitor users behavior
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you would keep evicted (incomplete transactions) and find the incomplete ones with the start event
| transaction User, ComputerName startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 maxevents=2 keepevicted=true
| search for closed_txn=0 AND EventCode=4624
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do your self test this????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What problem do you see with current search results? How many events does your search is processing (or could process)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to see active session, this search show session that disconnect and the user doesn't active anymore, I need to see active session
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no one can help me?
