Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search for users having a type of connection b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to debug an issue with an FTP service. I'd like to know that which users are using 'active data connection', where the connecting point would only be the sessionID. I have already extracted sessionID and userID as fields.
The logs for the sessions are varying between 150-3000 lines of events, and I don't know how to match my search criteria, to extract a userID connected to the sessionID that my search result is returning.
index=p_ftp sourcetype=debug "active data connection" | stats values(sessionID)
This is giving me the sessionIDs properly, I just need the userIDs from the session it logged usually plenty of lines before.
Can you please help me?
Thanks a lot in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.
Anyway, it's easiest to correlate such sequences of events with a transaction.
You do
| transaction SessionIDAnd you get events groupped into transactions. From those you can
| search "active connection or whatever you need"And finally get your userid field from matching transactions by means of "fields" or "table" commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show us a bit of your data. For now it's not obvious what's the relation (in your raw events) between UserID and SessionID.
If you have events matching UserID and SessionID - that's great, the possible solution has already been posted. But if you have distinct events - one specifying SessionID and another one with UserID - that won't be that easy. You'll need something to connect the events on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah yea sorry it would be much easier of course.
This is an example, where you can see the session number is 3082, user is ftptest_user, and I'm looking for the user of the session where my search matches 'active data connection opened'
2021-10-22 14:22:06,261 proftpd[3082] ftp.ip (client.ip[client.ip]): USER ftptest_user: Login successful.
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_auth
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): in dir_check_full(): path = '/monitor.txt', fullpath = '/monitor.txt'
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_vroot
2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_xfer
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - local : ftp.ip:46490
2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - remote : client.ip:9288
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.
Anyway, it's easiest to correlate such sequences of events with a transaction.
You do
| transaction SessionIDAnd you get events groupped into transactions. From those you can
| search "active connection or whatever you need"And finally get your userid field from matching transactions by means of "fields" or "table" commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow thanks it worked like a charm 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more thing - as I said earlier - since your sessionID is actually a pid of proftpd process and might roll-over and repeat, you might tweak the transaction parameters a little (especially the duration and/or events triggering start/end of transaction). But if you don't have many clients, it might not be necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pbabos,
did you tried something like this:
index=p_ftp sourcetype=debug "active data connection"
| stats values(userID) AS userID BY sessionID?
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
