Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use windows events to monitor logon sessions

splunk_ny
Engager
‎03-13-2014 11:14 AM

I see in my security event log that there is a logon and logoff event. I would like to use this data to track total session logon time in Splunk?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bschaefer
Splunk Employee
Splunk Employee
‎03-13-2014 11:23 AM

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

View solution in original post

Reply
Solved! Jump to solution

smudge797
Path Finder
‎03-16-2016 07:33 AM

Is there a way to have the output the table:
date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

Reply
Solved! Jump to solution

GoneSplunking
Engager
‎10-18-2018 10:22 AM

index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| bucket _time span=day
| stats sum(duration) by _time user host
| rename duration AS "Duration (seconds)"

0 Karma
Reply
Solved! Jump to solution
Solution

bschaefer
Splunk Employee
Splunk Employee
‎03-13-2014 11:23 AM

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName
Reply
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...