Splunk Search
Highlighted

How to search for who and when accessed the server?

New Member

Hi.

I would like to search who (user) and when accessed the server (server_name)

I make a search like this but I don't get the right results.

dest="server_name" user="*" src="*" | table _time user src dest action

Can please somebody help me.
Thanks.

0 Karma
Highlighted

Re: How to search for who and when accessed the server?

SplunkTrust
SplunkTrust

What results are you getting and what do you expect to get?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search for who and when accessed the server?

New Member

I get:

_time user src dest action
2017-08-09 14:36:04 n/a server-02 server-01 blocked
2017-08-09 11:41:09 n/a server-02 server-01 blocked
2017-08-09 09:55:21 n/a server-02 server-01 blocked

I'm supposed to get the users(usernames) who connect to server-01 (destination).
Am I missing something?

0 Karma
Highlighted

Re: How to search for who and when accessed the server?

SplunkTrust
SplunkTrust

marked code. Also, in general, you should always put the index name in your code.

0 Karma
Highlighted

Re: How to search for who and when accessed the server?

SplunkTrust
SplunkTrust

This depend on whether the server is Windows, unix, or something else.

To research this, use your own userid and the name of a server that you normally log on to, run a verbose search like this...

index=* "myserver" "myuserid"

Look at the results you get for the data and time you last logged on.

If it's Windows, you will be looking at an event 4624 (or some older ones in the 500 series).

If it's Unix, you will probably be looking at a PAM accepted record or something similar.

If it's an IBM mainframe, it will be a RACF record.

Look at the fields that are available on that record. Maybe you've misspelled them, or mis-capitalized them, or something. Maybe they just aren't there.

If that isn't enough to solve your problem, then update your question details showing the form of the record, with any confidential information masked. Change ip to 1.2.3.4 or 5.6.7.8, host name to myhost.mycompany.com, userid to myuserid... stuff like that.

We'll get you through this.

0 Karma