Splunk Search

Tricky latest login state question

SecureIA
Path Finder

Hi Guys,
I'm having a bit of trouble with this. Basically I wish to show who is into this device on a dashboard and I have a great search which takes the last login state and should work. My problem is that the device logs in such a way that the last state is always 'out' and will show users being 'logged out' even if they are in fact 'logged in' as the example below states. Would there possibly be way in which my search could discount the last login state? Or perhaps do this another way, I'm open to any suggestions.

<device> (2016-01-15T10:39:04) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog

<device> (2016-01-15T10:39:01) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog

<device> (2016-01-15T10:39:00) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog

<device> (2016-01-15T10:38:59) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog

<device> (2016-01-15T10:38:36) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog

Any help would be massively appreciated.
Cheers

0 Karma

vasanthmss
Motivator

Hi SecureIA,

Try something like this,

| stats latest(eval(if(status="loggedin",_time, null()))) as logon, 
        latest(eval(if(status="logout",_time, null()))) as logoff by <host, device, sessiond, msg_id>
| eval logoff=if(logoff<logon OR isnull(logoff), "Live",logoff))
| eval logon=if(isnull(logon,"Not in time Range",logon)
| eval duration=tostring(logoff-logon,"duration")
| eval logon=if(isint(logon),strftime(logon,"%+"), logon)
| eval logoff=if(isint(logoff),strftime(logoff,"%+"), logoff)

stats's by class i've mentioned some random fields, you can change based on your search. I guess remaining will help you,

Note: Assuming you have a field called status that can identify the even is logon or logoff. If not you can use the _raw to define. I prefer instead of checking raw extract a field and name it as status.

stauts="loggedin" => _raw like "%logged in%"
status="logout" => _raw like "%logged out%"

Thanks,
V

V
0 Karma

SecureIA
Path Finder

From this I get an error:-

"Error in 'eval' command: The expression is malformed. Expected )."

I put in a ')' after line 4 to which I get:-

"Error in 'eval' command: The arguments to the 'isnull' function are invalid."

0 Karma

vasanthmss
Motivator

I have updated the search. Sorry for the typo. Pls check now

V
0 Karma

Richfez
SplunkTrust
SplunkTrust

So how do you know when they actually logged out? Does it literally just tell you they logged out right after they logged in regardless?

-- OR -- (And I hope this is the case)

Does it do some sort of stateless re-login for each command or something?

Meaning, the process is like this?

Login (main one, actual login)
Login and nearly immediate logout (ran command X, did Y, whatever)
Login and nearly immediate logout (ran command A, did B, whatever)
Logout (main actual real logout)

In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those? Can you review the logs and see if this is the case?

It also might not hurt if you could supply the device type and [basic] version if appropriate so we can google some on how it logs, too.

0 Karma

SecureIA
Path Finder

It basically logs in, then in again - out - in - out. Thats a single login. Also when you exit, it will send a log out.

Your assumption below is exactly right:-

"In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those?"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...