How do I track a user's login session from VPN to ...

mikeyemane · ‎08-29-2018

I would like to to be able to track a users login session from VPN and then login to a Windows server(s). User login scenario: VPN login --> Windows Server Login --> Windows Server Login

VPN Search --> userid=user.id

index=x "Login succeeded" | rex "\]\sGDI\\\(?<userid>[^\(]+)"

Windows Search --> user=user.id

index=wineventlog sourcetype="WinEventLog:Security" Account_Name!="*$" AND Account_Name!=SYSTEM AND EventCode=4624 AND user!="ANONYMOUS LOGON"

I would like to create a table that shows their login time at the VPN, login time and process(s) started on the Windows servers. I can do this separately but how do you do combine the search?

Thanks.

DEAD_BEEF · ‎09-12-2018

Hi there, hoping this gets you started. I think what you are trying to do is present a table that has information from your VPN logs AND your Windows server logs. Thankfully, it appears that you can join the two logs based on the userid that you are extracting via rex. I rewrote your NOT statements as != is different than NOT and think you want the latter. You can read up on the nuances between them here. Either way, perhaps this puts you on the path to your solution.

This query searches your VPN logs and extracts the userid. It then passes it your Windows server logs and searches based on that userid. We then join the Windows server logs that we care about with VPN logs and match them together based on a common userid (when they match). Finally, once they are joined you can reference the fields from both the VPN index and Windows server index.

Lastly, I would recommend two things:
1. That you create a field extraction for your userid that way you can remove it from the search. This can be done via Settings > Fields > Field extractions > Add new. For this field to appear for other users, ensure it has the proper permissions once created.
2. That you create an event type, Win_User_Logon to simplify the query (remove all the NOT filtering from the main query by using it via the event type). This can be done via Settings > Event types > Add new.

index=wineventlog sourcetype="WinEventLog:Security" NOT (Account_Name="*$" OR Account_Name=SYSTEM OR EventCode=4624 OR user="ANONYMOUS LOGON") 
    [ search index=x "Login succeeded" 
    | rex "\]\sGDI\\\(?<userid>[^\(]+)" 
    | fields userid ] 
| join userid overwrite=f 
    [ search index=x "Login succeeded" 
    | rex "\]\sGDI\\\(?<userid>[^\(]+)" 
    | eval login_time = _time 
    | convert ctime(login_time) ] 
| stats count by userid login_time winLogonTime processes

Assuming you also implmeneted my two reccomendations, you could reduce this search to:

index=wineventlog eventtype="Win_User_Logons"  
    [ search index=x "Login succeeded" 
    | fields userid ] 
| join userid overwrite=f 
    [ search index=x "Login succeeded" 
    | eval login_time = _time 
    | convert ctime(login_time) ] 
| stats count by userid login_time winLogonTime processes

dimitryz · ‎08-30-2018

Hi,
you can use first search as sub search to the second search.

Something like that :

How do I track a user's login session from VPN to Windows server(s)?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation