Solved: (Windows) How to find users logged in over night?

boeing_smithbj · ‎08-15-2013

Hi there,

What I am trying to figure out is how I can search a Windows domain (Security logs?) to find out what users were logged in over night.

Currently installed: Splunk for ActiveDirectory, SA-ldapsearch, sideview utils, TA Windows and Universal Forwarders on our domain controllers/dns servers.

I thought I might be able to get this information out of the Splunk App. for Active Directory by default using the "User Utilization" pull-down, but I believe what that is showing me is users who logged in AT a certain time, not users who were logged in from x-time to y-time.

An example would be -

Come in tomorrow morning and run a search on last night's logs to see if anyone was logged in from say 8 PM to 4 AM.

Any ideas? Thanks!

lukejadamec · ‎08-15-2013

You will not need any fancy apps for this search. A simple search will do.

This should get you started.

earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name

Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.

View solution in original post

lukejadamec · ‎08-15-2013

You will not need any fancy apps for this search. A simple search will do.

This should get you started.

earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name

Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.

lukejadamec · ‎08-16-2013

The event codes are logon event codes, so they are recording logon events. There are types of logons for the various ways a user can 'logon' to a machine (interactive, network, service, etc... 9 total). You may be interested in only a few of those.
Finding users who are currently logged on is a tricky problem in Windows. See this answer for more details: http://answers.splunk.com/answers/43122/determine-users-on-the-same-server-within-a-time-window
I don't really like the solution they came up with, so I think you might want to create a new question for that.

boeing_smithbj · ‎08-16-2013

Thanks for the quick reply, it worked for me! I added some NOT operators to get rid of machine accounts and anonymous stuff.

I'll have to work on the output a little bit to make it cleaner, i.e.: giving me a total count for each Account_Name so I don't see each one multiple times.

Also, I'm still not sure - this is showing me users who LOGGED IN during that specific time, right? What about users who LOGGED IN BEFORE and stayed logged in throughout the night? I'm guessing that I need to better understand how my Windows logs could be inspected to see logins without a corresponding logout...

lukejadamec · ‎08-15-2013

Let me know if you have any problems. There are a billion things you can do with simple searches.

boeing_smithbj · ‎08-15-2013

Great thanks, I figured a search would do it, I'm just a noob to this whole thing. Looking forward to giving this a go. Thanks

boeing_smithbj · ‎08-15-2013

Not at work so I can't verify, but I believe we are using the default index setup with the Active Directory App. which is the "main" index, for WinEventLog-Security in eventtypes.conf.

All the other AD related stuff I think goes into the "msad" index.

As far as event id associated with log on, I believe it is 4624 or 4648.

bmacias84 · ‎08-15-2013

what index are you storing your DC Security Event Logs? Also do you know what the event id associated with the a log on event is?

(Windows) How to find users logged in over night?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!