Splunk Search

How to find an active user session on different machines at the same time?

Communicator

Hello Splunkers.

Using the wineventlog I can tell when a user logged on and off based on EventCodes 4624 and 4634 and the logon id:

Logon:

03/09/2017 11:54:51 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxxxxxxxx
TaskCategory=Logon
OpCode=Info
RecordNumber=xxxxx
Keywords=Audit Success
Message=An account was successfully logged on.
...
New Logon:
Security ID:        XXX\visit
Account Name:       visit
Account Domain:     XXX
Logon ID:       0xA2207D111

Logoff

03/09/2017 12:11:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=xxxxxx
TaskCategory=Logoff
OpCode=Info
RecordNumber=xxxxxx
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        XXX\visit
    Account Name:       visit
    Account Domain:     XXX
    Logon ID:       0xA2207D111

However, I need to know when exists the same Account Name using two machines, I mean, when there are two sessions active at the same time.

Any ideas how can I do this?

Regards,
GMA

0 Karma
1 Solution

Esteemed Legend

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

View solution in original post

0 Karma

Esteemed Legend

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

View solution in original post

0 Karma

Esteemed Legend
0 Karma

Communicator

I tried this:

index="myindex_wineventlog" user=visit (EventCode=4624 OR EventCode=4634) | rex field=_raw .*(?<tr_id>0x\w{9}) | transaction tr_id | concurrency duration=duration

However, this search brings the durations of the sessions, and not the sessions that overlaps...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!