Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Report all VPN accounts that are being shared by their owners

jsanio
New Member
‎10-08-2010 07:36 PM

Splunkers... I have dug thru the Answers Area for quite some time, and have not found what I am looking for. I am thinking that the solution would be in some form of transaction, but I am a bit of a neophyte with Splunk and am having difficulty developing a solution.

So.. I am hoping that y'all might be able to help me.

Problem: I have users who are likely sharing their VPN accounts to access my network. My assumption is that ANY user who is logged more than once over the same time period would be sharing accounts

I want to identify those users, and report who they are, how often the accounts are shared

My logging is from a Cisco VPN Concentrator and the logging looks like

Oct  8 15:30:19 XXX.XXX.com local0:notice 800067: 2010 Oct 08 15:28:56.460 EDT -4:00 %AUTH-5-28: RPT=138359: xxx.xxx.xxx.xxx: User [domain1\tannesh] Group [remotentusers] disconnected:  Session Type: IPSec/UDP  Duration: 0:00:50  Bytes xmt: 749392  Bytes rcv: 112960  Reason: User Requested


Oct  8 15:29:58 xxx.xxx.com local0:notice 800038: 2010 Oct 08 15:28:35.840 EDT -4:00 %IKE-5-52: RPT=139484: xxx.xxx.xxx.xxx: Group [remotentusers] User [domain1\tannesh] User (tannesh) authenticated.

My closest Failed Attempt looks like 

eventtype="VPN LogData"| search authenticated OR disconnected |rex field=_raw "(^.*\sUser\s\[\w+\]\sUser\s\(\w+\)\s)(?<CMD>.*)(\..*$)" | rex field=_raw "(^.*\[remotentusers\]\s)(?<REZULT>.*)(Session\sType.*$)"  |rex field=_raw "(^.*Duration:\s)(?<DURA>.*)(\s+Bytes\sxmt:.*$)" |transaction DURA CMD maxpause=5m

Thanks..

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎10-09-2010 05:05 AM

Let's assume that you have a field extracted called "User". Then you can just use transaction with startswith and endswith. Any duplicate will have more than two events because there will be two authenticates before the first disconnect. So, for example:

... | transaction User startswith=authenticated endswith=disconnected | search eventcount > 2
Reply

jsanio
New Member
‎10-13-2010 04:39 PM

This seems to work... Thanks very much

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...