Splunk Search

Tracking User Activity Across applications without matching sourcetypes or Fields

Communicator

I am attempting to track user activity from vdi login to the use of a shared account to log into an application. For example, user=Tim logs into his VDI session VDI-XXXX at 9am, then opens up application, sample_app, and logs in as user=admin. How do I bring the two events into one transaction? In this case, assume that we have the application account name only, admin and that the vdi user name can change.

I can track general logons as follows as a catchall:

index="*" user="*"  "*logged*"

I've attempted to use a subsearch to narrow it down to just the application usage and hopefully the vdi session that led to the application logon but those searches come back blank.

Sample searches tried:

index=* user=* "*logged*" [search sourcetype=sample_app user=admin "*logged*" | fields + user, computer, event] | table _time, user, computer, event | sort _time
0 Karma
1 Solution

Communicator

So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.

|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user

Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?

View solution in original post

0 Karma

Communicator

So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.

|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user

Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?

View solution in original post

0 Karma

Communicator

Index=internal sourcetyp=* | stats count by clientip,user

0 Karma

Communicator

Samples events are below:

VDI logon events:
"An account was successfully logged on.

Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3

Impersonation Level: Impersonation

New Logon:
  Security ID: LB\DEV1$
  Account Name: DEV1$
  Account Domain: LB
  Logon ID: 0x894B5E95
  Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
  Process ID: 0x0
  Process Name: -"

Application logon sample: (these differ per application) - Use of the root account in linux

"su: pam_unix(su-l session): session opened for user root by (uid-=0)"

For VDI type: VMWare (unsure which version though).

0 Karma

Esteemed Legend

Did I reformat your text correctly? You have neglected to show _time which is really the key here. How close together are these events in time (or should I say "at worst, how far apart are the matching events from eachother in tme")? And is it always 1-to-1 for pairing?

0 Karma

SplunkTrust
SplunkTrust

In addition to showing some sample events, it might also be useful to know which VDI system you are using in case there's some additional or different logs you can enable that will tell you this information directly.

0 Karma

Esteemed Legend

You are going to have to show some sample events.

0 Karma

Communicator

Samples events are below:

VDI logon events:
"An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: LB\DEV1$
Account Name: DEV1$
Account Domain: LB
Logon ID: 0x894B5E95
Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}

Process Information:
Process ID: 0x0
Process Name: -"

Application logon sample: (these differ per application) - Use of the root account in linux
"su: pam_unix(su-l session): session opened for user root by (uid-=0)"

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!