Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Show Only Logon Events

vessev
Path Finder
‎11-23-2016 02:23 AM

I simply will audit our Administrators on which Systems they are logged on right now.

but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event.
The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's
I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.

first i tryed this way

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-*   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null()) 
| transaction fields="User" maxspan=-1
| eval Keep_Or_Not=if(LogonID_4624=LogonID_4634, "Keep", "Do_Not_Keep")
| search Keep_Or_Not="Do_Not_Keep"
| table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app 
| sort by User

then there was no success so i tried another query:

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann   
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0)) 
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null()) 
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())

I thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-23-2016 06:23 AM

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode

View solution in original post

Reply
Solved! Jump to solution

vessev
Path Finder
‎11-29-2016 02:12 AM

i have found out that i can have a NOT search as subsearch. Here every Event is kicked out who has the logon id in EventCode 4634.
Its not a search query for Real Time searches but it kinda does its work.

Account_Name=server-evermann EventCode=4624 | eval logid=mvindex(Logon_ID, 1) | search NOT [search Account_Name=server-evermann EventCode=4634 | rename Logon_ID as logid | table logid] | table _time, logid, Source_Network_Address, host | sort - _time

The second problem is way worse, and that is something i found out through solving that problem.
A Logon Event on a DC is not like you think it is. Sometimes more than 4 Events are generated when logging on a System.
Which all have different Logon_ID's .. .a few minutes later all the Logon_ID's are marked as Logoff ( From EventCode 4634) even the connection is still established. That's because not the Logon from the user is generating the Logon Event 4624 - the Update from GPO does this. That means ive got an EventCode 4624 generatet on every Logon i do on a Server (and force a user specific GPO Update Force) which comes on every 90 minutes (depending on your configuration on how often the GPO should Update) and gets a Logoff Event when the Update is done ...

Does anyone has the same Problem with domain user logging? I simply Log all my DC's and thought i could catch all Logon and Logoff actions in my Domain. I dont think that it is nessesary to install a universal forwarder on every Server in my domain or use WMI (which is a lame piece of crap in my opinion) or is it?!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-23-2016 06:23 AM

Try this

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-* | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | transaction User startswith="EventCode=4625" endswith="EventCode=4634" maxspan=8h maxevents=2 keepevicted=t | where closed_txn=0 | table _time User EventCode
Reply
Solved! Jump to solution

vessev
Path Finder
‎11-29-2016 01:58 AM

i will try that thank you for now 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...