Splunk Search

Show Only Logon Events

vessev
Path Finder

I simply will audit our Administrators on which Systems they are logged on right now.

but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event.
The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's
I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.

first i tryed this way

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-*   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null()) 
| transaction fields="User" maxspan=-1
| eval Keep_Or_Not=if(LogonID_4624=LogonID_4634, "Keep", "Do_Not_Keep")
| search Keep_Or_Not="Do_Not_Keep"
| table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app 
| sort by User

then there was no success so i tried another query:

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())

I thank you

0 Karma
1 Solution

sundareshr
Legend

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

View solution in original post

vessev
Path Finder

i have found out that i can have a NOT search as subsearch. Here every Event is kicked out who has the logon id in EventCode 4634.
Its not a search query for Real Time searches but it kinda does its work.

Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT [search Account_Name=server-evermann EventCode=4634 | rename Logon_ID as logid | table logid] | table _time, logid, Source_Network_Address, host | sort - _time

The second problem is way worse, and that is something i found out through solving that problem.
A Logon Event on a DC is not like you think it is. Sometimes more than 4 Events are generated when logging on a System.
Which all have different Logon_ID's .. .a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done ...

Does anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. I dont think that it is nessesary to install a universal forwarder on every Server in my domain or use WMI (which is a lame piece of crap in my opinion) or is it?!

0 Karma

sundareshr
Legend

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

vessev
Path Finder

i will try that thank you for now 🙂

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...