Hi @shubhajits, you're asking many easy things: 1) to have the list of servers that are sending logs, you could run something like this: | metasearch index=os or index=wineventlog
| stats count BY index but in this case you have only the servers that are sending logs, if a server is missing you haven't it, but this is another question that you can search in Community. 2) For successul or unsuccessful logins there's a problem, that every windows login generates around 10-12 login events (EventCode=4624) so the results could be non reliable. Anyway, the search could be (for windows) something like this: index=wineventlog EventCode=4624 OR EventCode=4625
| stats count BY EventCode and for Linux, something like this: search = index=os sourcetype=linux_secure NOT disconnect ("accepted password" OR "failed password")
| eval action=if(searchmatch("accepted password"),"Login","LogFail")
| stats count BY action If you want all in one panel it's just a little bit complicate because you should create four eventtypes: windows_login (index=wineventlog EventCode=4624) windows_logfail (index=wineventlog EventCode=4625) linux_login (index=os "accepted password") linux_logfail (index=os "failed password") using the above searches and associating to eventtypes LOGIN or LOGOUT tags, then you can run a simple search using tags: tag=LOGIN OR tag=LOGFAIL
| stats count BY index tag 3) About the alert for root or administrator, you have to search for the eventtypes windows_login or linux_login and the words root or administrator, something like this: tag=LOGIN (root OR administrator) Only one final hint: follow the Search Tutorial to understand SPL. Ciao. Giuseppe
... View more