I am trying to get an alert if someone outside of an Active Directory group logs into a specific server. I think I got the syntax right, but could use some wisdom.
host="server being monitored" (EventCode=4624) (Group_Name="usergroup1" OR Group_Name="usergroup2") index=_internal sourcetype=splunk_web_service user=* action="login" status="success"
Thanks for any help.
Hi,
Take a look at the following answer I provided for a similar question:
Hope that helps.
Thanks,
J