Monitoring Splunk

How can I use windows events to monitor logon sessions

splunk_ny
Engager

I see in my security event log that there is a logon and logoff event. I would like to use this data to track total session logon time in Splunk?

Tags (1)
0 Karma
1 Solution

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

View solution in original post

smudge797
Path Finder

Is there a way to have the output the table:
date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

GoneSplunking
Explorer

index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| bucket _time span=day
| stats sum(duration) by _time user host
| rename duration AS "Duration (seconds)"

0 Karma

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...