Security

How to track a specific user login and logoff the past 30 days

New Member

Please excuse my lack of knowledge with Splunk but I need to track a user by login/logoff for the past 30 days. I looked through some of the answers but can't seem to get this to work. Appreciate your help!

Tags (1)
0 Karma

Explorer

This worked for me:

earliest=-30d index=_internal action=login OR action=logoff | eval length=len(user) | search length>1 | eval eventdate=strftime(_time,"%Y-%m-%d") | dedup eventdate, user| table eventdate, user

0 Karma

Contributor

@dfrankekcg, its not working for me. The user detail always populates with "-" rather than an actual user. Did you make any changes to the system to get this to work?

0 Karma

New Member

Thanks somesoni2: just figured that out as well.

0 Karma

SplunkTrust
SplunkTrust

Not sure if this will be helpful. We can track the logon/logoff for a user in a windows machine. The data is stored in Event Log under Security. Splunk can monitor the same. EventCode=4624 is for LOGON and EventCode=4634 for LOGOFF. Once data in indexed, you can search Splunk.

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 | table _time Account* Logon*

0 Karma

New Member

adylent: thanks for your excellent response but I'm trying to track specific users within Active Directory or Windows security logs to determine when a user logged in/out.

What you provided above was great information when someone logs into splunk, but trying to use a different syntax for searching within the security logs from the DC's.

Thanks for your help!

0 Karma

New Member

Running version 5.0.4, build 172409

I'm the admin in splunk and have domain admin rights

0 Karma

Path Finder

You may need to audit your user role and ensure that you have access to the _internal index (I think by default most users are non-internal indexes).

Which version of splunk are you running?

0 Karma

New Member

When I paste the command with "johndoe" It doesn't find any record. Should I perform a search from Splunk App for Active Directory? I believe by default, it is searching for johndoe logging into Splunk.

earliest=-30d index=_internal sourcetype=splunk_web_service user="johndoe" | convert ctime(_time) as time | eval userevent=time.": ".action | stats values(userevent) as UserEvent by user

Appreciate your help! I'll award you points 🙂

0 Karma

Path Finder

Try this (verified in splunk 6):

earliest=-30d index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff | table user status action reason message

Replace user="*" with the username you care about

Or could do something like this:

earliest=-30d index=_internal sourcetype=splunk_web_service user="*" | convert ctime(_time) as time | eval userevent=time.": ".action | stats values(userevent) as UserEvent by user

Influencer

Field value for action is changed from logoff to logout now, use updated query:

index=_internal sourcetype=splunk_web_service earliest=-30d  user="*" action=login OR action=logout | table user status action reason message
0 Karma