Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Account user monitoring- What is a search that I can create an alert and weekly scheduled report?

woodlandrelic
Path Finder
‎12-02-2022 12:54 PM

Hi

Am trying to create an alert and a weekly scheduled report for user"us.admin" in Splunk. I want to get an alert if this user login and activities if possible. Am already monitoring the path and pushing into Splunk. What are the appropriate search strings to do this? Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎12-03-2022 08:39 AM

Hi @woodlandrelic,

if you want to trace all the successful logins of a user in an alert to all you Linux systems, you should use something like this:

index=os "accepted password" 
| stats count values(host) AS host BY user

in this way you have all the logins of each user with the indication of the logged hosts.

If you want to monitor only one host, you can put it in the main search.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎12-03-2022 03:44 AM

Hi @woodlandrelic,

what's the system to monitor: windows, linux, which one?

Then, which condition do you want to monitor: failed logins, or logins out of work time, which one?

To monitor a user is a too generic question.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎12-03-2022 04:34 AM

Hi @gcusello

Sorry the system is Linux. I want to see an alert anytime that accout login. So Login sir. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎12-03-2022 08:39 AM

Hi @woodlandrelic,

if you want to trace all the successful logins of a user in an alert to all you Linux systems, you should use something like this:

index=os "accepted password" 
| stats count values(host) AS host BY user

in this way you have all the logins of each user with the indication of the logged hosts.

If you want to monitor only one host, you can put it in the main search.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎12-04-2022 11:58 PM

@gcusello

Thank you very much. I will try it once I login later this morning.

Am fairly new to Splunk. Is there a cheat sheet, search strings, and commands to enhance my SPL? Thanks again.

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎12-05-2022 12:36 AM

HI @woodlandrelic,

you can start from the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) then ther are meny videos in the YouTube Splunk Channel and many courses, some of them free (https://www.splunk.com/en_us/training/free-courses/overview.html)

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...