Splunk Search

Detect absence of an event

Communicator

I would like to be able to see if a user logs in via ssh but doesn't log out within 30 minutes.

For example

12:28:43.000 PM

2010-04-14T12:28:43+00:00 testing sshd(pam_unix)[9125]: session opened for user test

and the absence of a matching entry for that user logging out would send an alert / be something I could search on ie. users staying logged in after working hours.

Thanks!

Tags (1)
1 Solution

Super Champion

In order to do event association like this, you must make sure that (1) you also have a matching closing event in the normal case, and (2) that you can uniquely associate the opening and closing events, which in your example should be possible using the pid (9125), and optionally the user (test) as well.

You should be able to use a search like this to group your events into transactions:

pam_unix sshd (closed OR opened) | transaction fields="host,pid" maxspan=30m startswith=opened endswith=closed keepevicted=t

If that works, you can add | search closed_txn=0 to the end of your search to filter out the incomplete events. This works because complete transactions mean you have both an opened and closed event, which is not true if the session took more than 30 minutes.

You can also play around with extracting the user field (if you haven't done so already). I'm guessing that this is something you will want if your goal is to report on who is logged in past your 30 minute window. Something like | rex "user (?<user>\w+)" should do the trick, but I haven't tested it. You can add this to the list of fields if you want as an extra safety, just in case your pids are reused very frequently, for example.

So your final search would look something like:

pam_unix sshd (closed OR opened) | rex "user (?<user>\w+)" | transaction fields="host,pid,user" maxspan=30m startswith=opened endswith=closed keepevicted=t | search closed_txn=0

You may also find the duration field added by the transaction command helpful. You could use this to chart average durations by user, for example.

View solution in original post

Super Champion

In order to do event association like this, you must make sure that (1) you also have a matching closing event in the normal case, and (2) that you can uniquely associate the opening and closing events, which in your example should be possible using the pid (9125), and optionally the user (test) as well.

You should be able to use a search like this to group your events into transactions:

pam_unix sshd (closed OR opened) | transaction fields="host,pid" maxspan=30m startswith=opened endswith=closed keepevicted=t

If that works, you can add | search closed_txn=0 to the end of your search to filter out the incomplete events. This works because complete transactions mean you have both an opened and closed event, which is not true if the session took more than 30 minutes.

You can also play around with extracting the user field (if you haven't done so already). I'm guessing that this is something you will want if your goal is to report on who is logged in past your 30 minute window. Something like | rex "user (?<user>\w+)" should do the trick, but I haven't tested it. You can add this to the list of fields if you want as an extra safety, just in case your pids are reused very frequently, for example.

So your final search would look something like:

pam_unix sshd (closed OR opened) | rex "user (?<user>\w+)" | transaction fields="host,pid,user" maxspan=30m startswith=opened endswith=closed keepevicted=t | search closed_txn=0

You may also find the duration field added by the transaction command helpful. You could use this to chart average durations by user, for example.

View solution in original post