Hi Guys,
I'm having a bit of trouble with this. Basically I wish to show who is into this device on a dashboard and I have a great search which takes the last login state and should work. My problem is that the device logs in such a way that the last state is always 'out' and will show users being 'logged out' even if they are in fact 'logged in' as the example below states. Would there possibly be way in which my search could discount the last login state? Or perhaps do this another way, I'm open to any suggestions.
<device> (2016-01-15T10:39:04) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:39:01) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:39:00) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:38:59) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:38:36) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
Any help would be massively appreciated.
Cheers
Hi SecureIA,
Try something like this,
| stats latest(eval(if(status="loggedin",_time, null()))) as logon,
latest(eval(if(status="logout",_time, null()))) as logoff by <host, device, sessiond, msg_id>
| eval logoff=if(logoff<logon OR isnull(logoff), "Live",logoff))
| eval logon=if(isnull(logon,"Not in time Range",logon)
| eval duration=tostring(logoff-logon,"duration")
| eval logon=if(isint(logon),strftime(logon,"%+"), logon)
| eval logoff=if(isint(logoff),strftime(logoff,"%+"), logoff)
stats's by class i've mentioned some random fields, you can change based on your search. I guess remaining will help you,
Note: Assuming you have a field called status that can identify the even is logon or logoff. If not you can use the _raw to define. I prefer instead of checking raw extract a field and name it as status.
stauts="loggedin" => _raw like "%logged in%"
status="logout" => _raw like "%logged out%"
Thanks,
V
From this I get an error:-
"Error in 'eval' command: The expression is malformed. Expected )."
I put in a ')' after line 4 to which I get:-
"Error in 'eval' command: The arguments to the 'isnull' function are invalid."
I have updated the search. Sorry for the typo. Pls check now
So how do you know when they actually logged out? Does it literally just tell you they logged out right after they logged in regardless?
-- OR -- (And I hope this is the case)
Does it do some sort of stateless re-login for each command or something?
Meaning, the process is like this?
Login (main one, actual login)
Login and nearly immediate logout (ran command X, did Y, whatever)
Login and nearly immediate logout (ran command A, did B, whatever)
Logout (main actual real logout)
In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those? Can you review the logs and see if this is the case?
It also might not hurt if you could supply the device type and [basic] version if appropriate so we can google some on how it logs, too.
It basically logs in, then in again - out - in - out. Thats a single login. Also when you exit, it will send a log out.
Your assumption below is exactly right:-
"In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those?"