Splunk Search

How to extract name of user when useradd command is ran


I am receiving the audit.log data from a universal forwarder running on a Linux box

Hello below is my search string and event logs:

search string

index=* host=* sourcetype="" user="" "/usr/sbin/useradd" "type=ADD_USER"

example of log results:

type=ADD_USER msg=audit(1501682042.274:12228): pid=6168 uid=0 auid=1000 ses=1367 msg='op=add-user id=1007 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/1 res=success'
date_zone = 0 index =   my_fwdr =   /var/log/audit/audit.log sourcetype =   linux:audit uid =   0 user =    guser

I see that the user who ran the useradd command is "guser" and the id of the newly created user is 1007 BUT I want the actual user NAME of the newly created user...not the id
How do I get the actual name of the newly created user. I don't want the id. Do I need to search in a different log file? Does audit.log not contain the user name but only the id when users are created?

0 Karma


Think of it this way...

A user ID is like a key that allows you to find the user account itself.

The user name is just a description of the account, not necessarily the name of a person. The user name could be, literally, "Service Account 23 for Marketing Initiatives under Jane Smith's hierachy"

In the text on each log record, the user name would be redundant. (I'm not saying there is never redundant data on log records, I'm especially not saying that about Windows log events, but still...)

So, you'll need to contact your security folks to find out what process you need to use to enrich the log data. Maybe they'll give you a daily or weekly dump of the AD files, maybe they'll give you the ability to read them directly, maybe they'll tell you you're not going to get that info.

If they refuse, then you'll have to start looking for ways to correlate the userids with their user names. There usually ARE events that would have user names, but sometimes you'll have to track back the IP address or use other clues to run it all down. (Which is a large part of why various SIEM tools, including Splunk Enterprise Security, exist...)

Start by researching the various events with your own ID and name, since you'll be able to read them with very little confusion --assuming you're not named "John Green" or "Norton Windows".

0 Karma