Alerting

How to create an alert based on syslog login and logout data?

vrmandadi
Builder

I want to create an alert based on syslog login and logout data.I want the alert to be triggered when a session is opened for but doesnt have a session closed for  a particular session id and if that session is opened for more than 8 hours compared to the time the splunk alert is scheduled.

 

For example if a session is opened by a user at 8AM and if he doesnt log off by 4PM which is more than 8 hrs than it needs to be alerted by giving the user session id 

 

Following are the sample data for  login and logoff sessions 

2022-05-21T20:00:02.048677-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session closed for user abc

 

2022-05-21T20:00:02.041845-07:00 login-se01 CRON[4031976]: pam_unix(cron:session): session opened for user abc by (uid=0)

Labels (2)
0 Karma

gcusello
Legend

Hi @vrmandadi,

please try something like this:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats 
     first(if(eval(type="open"),_time,"") AS earliest 
     latest(if(eval(type="close"),_time,"") AS latest
     dc(type) AS dc_type 
     values(type) AS type 
     BY user
| where dc_type=1 AND type="open"
| eval 
     earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S), 
     latest=strftime(latest,"%Y-%m-%d %H:%M:%S)
table user earliest latest

Ciao.

Giuseppe

0 Karma

vrmandadi
Builder

@gcusello 

 

I got the following error "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%m-%d %H:%M:%S)'."

 

I think there is an issue  starting from 
| where dc_type=1 AND type="open"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S)
| table session_user earliest latest

 

Also running the search without the where clause doesnt show any value for earliest and latest time.

 

session_user earliest latest dc_type type

abc  2
close
open
0 Karma

gcusello
Legend

Hi @vrmandadi,

sorry! the quotes in the evals and the pipe before table:

index=os ("session closed for user" OR "session opened for user") earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats 
     first(if(eval(type="open"),_time,"") AS earliest 
     latest(if(eval(type="close"),_time,"") AS latest
     dc(type) AS dc_type 
     values(type) AS type 
     BY user
| where dc_type=1 AND type="open"
| eval 
     earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), 
     latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table user earliest latest

 

0 Karma

vrmandadi
Builder

I still dont see the earliest and latest time...may be the strptime format needs to be changed..Below is the sample event.

 

2022-05-23T06:00:01.676861-07:00 login-1 CRON[114336]: pam_unix(cron:session): session closed for user abc

2022-05-23T06:00:01.670790-07:00 login-1 CRON[114336]: pam_unix(cron:session): session opened for user abc by (uid=0)

0 Karma

gcusello
Legend

Hi @vrmandadi,

no the strftime is only to format the output not to read because _time is in epochtime.

Could you share the search you're using?

Ciao.

Giuseppe

0 Karma

vrmandadi
Builder

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user
| where dc_type=2 AND type="close"
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table session_user earliest latest

0 Karma

gcusello
Legend

Hi @vrmandadi,

debug your search starting from the end deleting one row at a time,

in other words: if you run

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")

have you both values for type?

what does it happen if you run

index=abc  session_points="session opened" OR session_points="session closed" session_user!=root earliest=-8h@h latest=@h
| eval type=if(searchmatch("session opened for user"),"open","close")
| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user

?

Ciao.

Giuseppe

 

0 Karma

vrmandadi
Builder

Yes I did the line to line search and I see that when it comes to below..it doesnt show earliest and latest...it shows blank

| stats
first(if(eval(type="open"),_time,"")) AS earliest
latest(if(eval(type="close"),_time,"")) AS latest
dc(type) AS dc_type
values(type) AS type
BY session_user

0 Karma