Hi guys,
I'm going crazy and I'm completely lost. I'm trying to create a query that displays concurrent connections. I understand that this has been previously asked but what seemed to be the solution or "most popular" answer didn't work for me and seemed to be too complicated.
I'm trying to create a search that finds concurrent connections and then creates a table with the time, user and when the concurrency occurred.
I know I am missing something because even though I get no errors, I see a message saying "572781 events were ignored due to missing or invalid start or duration fields."
This is my search
index=fw tag=vpn
|eval "start"=cisco_vpn_start
|eval "start"=ftnt_fgt_vpn_start
|eval "stop"=cisco_vpn_end
|eval "stop"=ftnt_fgt_vpn_end
|eval "total_time"=start-stop
| concurrency duration=total_time
| timechart span=5m max(concurrency) as concurrency
| where concurrency > 0
| table concurrency, user, _time
Explained, we basically have to vpns
Duration: the total time from when one session starts until it ends.
Concurrency: measures the number of events which have spans that overlap with the start of each event.
I'm using 5 minutes as a time span and I want it to display the events where there is at least one concurrent connection. My brain is fried and I can't figure out what I'm doing wrong. I've been biting my nails and I think I peeled off all my nail polish.
Any help would be greatly appreciated.
The concurrency command has no by-clause, and the concurrency field value it returns includes all observed events. In your case, all events is all VPN sessions.
Assuming both Cisco and Fortinet solutions log events at session end with minimal indexing delay, you can find which users ended multiple sessions within a five minute window using streamstats:
tag=network tag=session tag=vpn
| streamstats time_window=5m count by user
| where count>1
| table _time user count
If you expect sessions to overlap with end times more than five minutes apart, you can modify the time_window argument.
This isn't a perfect solution, but it may work well for ad hoc investigations.