I've seen several threads, but nothing to really dial in what we're needing for reporting. Figured I would see if anyone else had input on this while I keep waiting on my ticket to be answered.
This is the search query I've managed to piece together.
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=*
| search NOT (Account_Name=$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS)
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)
| search NOT (User=*$ OR User=system)
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logofftime=_time+duration
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
| convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
| eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
| table Logontime, Logofftime, SessionDuration, User, host
| sort User host
This query gives an output like this....
Logontime Logofftime SessionDuration User host
12/11/17 23:32:29 12/11/17 23:32:29 0h 0m 0s john.doe PrimaryDC
12/11/17 21:46:30 12/11/17 21:46:30 0h 0m 0s john.doe PrimaryDC
12/11/17 21:46:29 12/11/17 21:47:00 0h 0m 31s john.doe PrimaryDC
12/11/17 21:46:29 12/11/17 21:56:41 0h 10m 12s john.doe PrimaryDC
12/11/17 20:43:03 12/11/17 20:43:14 0h 0m 11s john.doe PrimaryDC
12/11/17 20:12:34 12/11/17 20:13:05 0h 0m 31s john.doe PrimaryDC
12/11/17 20:00:29 12/11/17 20:00:29 0h 0m 0s john.doe PrimaryDC
12/11/17 20:00:29 12/11/17 20:01:00 0h 0m 31s john.doe PrimaryDC
12/11/17 18:14:29 12/11/17 18:14:29 0h 0m 0s john.doe PrimaryDC
12/11/17 18:14:28 12/11/17 18:24:40 0h 10m 12s john.doe PrimaryDC
12/11/17 16:43:03 12/11/17 16:43:18 0h 0m 15s john.doe PrimaryDC
12/11/17 16:28:29 12/11/17 16:28:29 0h 0m 0s john.doe PrimaryDC
12/11/17 16:28:29 12/11/17 16:29:01 0h 0m 32s john.doe PrimaryDC
12/11/17 16:28:28 12/11/17 16:38:41 0h 10m 13s john.doe PrimaryDC
12/11/17 16:12:34 12/11/17 16:13:06 0h 0m 32s john.doe PrimaryDC
...
I'm trying to build a report to show user' logon and logoff times along with duration they were logged on and from source computer.
But it gives me random times and only seems to pull information about the PrimaryDC.
Anyone have any ideas to try and make this work? Thanks...
... View more