Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I track unused logons in Windows?

kamranrahmad
Engager
‎02-14-2013 08:08 AM

I'm trying to get a query for the last login that occured over 30 days ago. Intent being to disable/delete unused accounts on Windows. Thanks in advance.

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎02-14-2013 09:14 AM

If you're using AD, you'll need to dump a list of all the logins otherwise you'll only be able to find users who have not logged in in the last 30 days, providing splunk has seen them ever log in.

Assuming you are using active directory, its far simpler to get this info from AD itself.

dsquery * -filter "(&(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=acme,DC=com)(lastLogonTimestamp<=129930132306842957))" -limit 0 -attr sAMaccountname lastLogonTimestamp

the lastlogon field is the number of nanoseconds since 1600, I think, so you need to calculate that value - 30 days ago and plug it into your search

edit changed lastlogon to lastlogontimestamp at jeffs suggestion

Reply

jonuwz
Influencer
‎02-14-2013 10:19 AM

Cheers Jeff, good to know, even if I now have to go and doublecheck a whole bunch of reports for accuracy ...

0 Karma
Reply

jeff
Contributor
‎02-14-2013 09:34 AM

jonuwz is right here... my answer above assumes a user logged in sometime between 40 and 30 days ago- it won't report any users that didn't log in at all or outside of that time. You could dump all AD users to a csv and use inputlookup to load them.

Note that lastLogon isn't replicated, so to be accurate you would need to get this value from every Domain Controller in your environment. You are better off querying lastLogonTimestamp. It is replicated, but is only updated on any given object if its value is over seven days (I think) old at the time of successful authentication.

Reply

jeff
Contributor
‎02-14-2013 09:10 AM

You'll probably find that this search will be expensive in Splunk without summary indexing enabled. Generate a query to search the Windows security logs for successful logons and schedule to run every x minutes or hours, adding the data to the summary indexing. Depending on what fields you choose to push to the summary index, you may just want to record one logon per user over the timespan... something like:

sourcetype=sourcetype=WinEventLog:Security EventCode=4648   | rex field=_raw "(?si)New Logon:.*Account Name:\W(?{user}[^ \r\n]+)" | stats max(_time) as lasttime by user

(note:* {user} above should really be <user>... markdown wasn't cooperating with me for some reason.)*

scheduled to run over an hour and added to a summary index hourly. Then...

index=summary_ad_logons earliest=-40d@d latest=-30d@d NOT [search index=summary earliest=-30d@d latest=now | dedup user | fields user]

Now, having said all of this, I'm pretty sure you can get this out of the native Microsoft plugins by looking at a given user's lastLogonTimestamp attribute. The Windows Server 2008 AD Administrative Center plugins has specific pre-bulit queries just for this purpose.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...