Splunk Search

Show Only Logon Events

vessev
Path Finder

I simply will audit our Administrators on which Systems they are logged on right now.

but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event.
The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's
I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.

first i tryed this way

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-*   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null()) 
| transaction fields="User" maxspan=-1
| eval Keep_Or_Not=if(LogonID_4624=LogonID_4634, "Keep", "Do_Not_Keep")
| search Keep_Or_Not="Do_Not_Keep"
| table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app 
| sort by User

then there was no success so i tried another query:

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())

I thank you

0 Karma
1 Solution

sundareshr
Legend

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

View solution in original post

vessev
Path Finder

i have found out that i can have a NOT search as subsearch. Here every Event is kicked out who has the logon id in EventCode 4634.
Its not a search query for Real Time searches but it kinda does its work.

Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT [search Account_Name=server-evermann EventCode=4634 | rename Logon_ID as logid | table logid] | table _time, logid, Source_Network_Address, host | sort - _time

The second problem is way worse, and that is something i found out through solving that problem.
A Logon Event on a DC is not like you think it is. Sometimes more than 4 Events are generated when logging on a System.
Which all have different Logon_ID's .. .a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done ...

Does anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. I dont think that it is nessesary to install a universal forwarder on every Server in my domain or use WMI (which is a lame piece of crap in my opinion) or is it?!

0 Karma

sundareshr
Legend

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

vessev
Path Finder

i will try that thank you for now 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...