Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for users having a type of connection based on sessionID

pbabos
Explorer
‎10-23-2021 09:14 PM

Hello,

I'm trying to debug an issue with an FTP service. I'd like to know that which users are using 'active data connection', where the connecting point would only be the sessionID. I have already extracted sessionID and userID as fields.

The logs for the sessions are varying between 150-3000 lines of events, and I don't know how to match my search criteria, to extract a userID connected to the sessionID that my search result is returning. 

 

index=p_ftp sourcetype=debug "active data connection" | stats values(sessionID)

 


This is giving me the sessionIDs properly, I just need the userIDs from the session it logged usually plenty of lines before.

Can you please help me?

Thanks a lot in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2021 09:32 AM

If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.

Anyway, it's easiest to correlate such sequences of events with a transaction.

You do

| transaction SessionID

And you get events groupped into transactions. From those you can

| search "active connection or whatever you need"

And finally get your userid field from matching transactions by means of "fields" or "table" commands.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2021 11:48 PM

Show us a bit of your data. For now it's not obvious what's the relation (in your raw events) between UserID and SessionID.

If you have events matching UserID and SessionID - that's great, the possible solution has already been posted. But if you have distinct events - one specifying SessionID and another one with UserID - that won't be that easy. You'll need something to connect the events on.

0 Karma
Reply
Solved! Jump to solution

pbabos
Explorer
‎10-24-2021 09:06 AM

ah yea sorry it would be much easier of course.

This is an example, where you can see the session number is 3082, user is ftptest_user, and I'm looking for the user of the session where my search matches 'active data connection opened'

 

 

2021-10-22 14:22:06,261 proftpd[3082] ftp.ip (client.ip[client.ip]): USER ftptest_user: Login successful.
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_auth
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): in dir_check_full(): path = '/monitor.txt', fullpath = '/monitor.txt'
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - local  : ftp.ip:46490
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - remote : client.ip:9288

 

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2021 09:32 AM

If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.

Anyway, it's easiest to correlate such sequences of events with a transaction.

You do

| transaction SessionID

And you get events groupped into transactions. From those you can

| search "active connection or whatever you need"

And finally get your userid field from matching transactions by means of "fields" or "table" commands.

0 Karma
Reply
Solved! Jump to solution

pbabos
Explorer
‎10-24-2021 11:18 AM

wow thanks it worked like a charm 🙂

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2021 01:08 PM

One more thing - as I said earlier - since your sessionID is actually a pid of proftpd process and might roll-over and repeat, you might tweak the transaction parameters a little (especially the duration and/or events triggering start/end of transaction). But if you don't have many clients, it might not be necessary.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2021 10:52 PM

Hi @pbabos,

did you tried something like this:

index=p_ftp sourcetype=debug "active data connection" 
| stats values(userID) AS userID BY sessionID

?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...