Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to write a query to to report on all last logon times for users that logged into any linux in our environment. What am I doing wrong?

dylan_yoder
New Member
‎03-07-2016 01:06 PM

The query I wrote doesn't seem to work as expected. The time stamp is missing under the logon_time column next to the corresponding listed users and the users in the user column show many duplicate occurrences (example: 20+ root logons) instead of a single entry of the last logon of that account on that specific host.

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats list(user) as User, list(ruser) as "Remote User", list(latest(eval(if(action==success,_time, null())))) as logon_time by host
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
0 Karma
Reply

somesoni2
Revered Legend
‎03-07-2016 02:24 PM

Try like this

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action==success,_time, null()) | stats values(logon_time ) as logon_time by host user ruser | eval logon_time=mvindex(logon_time,-1)  | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) | stats list(user) as User, list(ruser) as "Remote User", list(logon_time) as logon_time by host

Update

This should give you latest logon for each (unique) user per host.

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action==success,_time, null()) | stats latest(logon_time) as logon_time by host user ruser | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)

If you want to group users and their corresponding logon time based on host, then you can add following to above search

| stats list(*) as * by host
0 Karma
Reply

dylan_yoder
New Member
‎03-09-2016 07:57 AM

I ended up using the following queries to get the desired results

sourcetype=linux_secure user=* ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats latest(eval(if(vendor_action="session opened",_time, null()))) as logon_time by host user
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
| stats list(user) as user, list(logon_time) as logon_time by host

OR

sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") |  eval logon_time =if(action="success",_time, null()) | stats latest(logon_time) as logon_time by host user  | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) |  stats list(*) as * by host | sort -logon_time

Both seemed to work.

0 Karma
Reply

dylan_yoder
New Member
‎03-08-2016 06:10 AM

That didn't seem to work for me unfortunately. Nothing resolved at all. I need it to show the latest/most recent logon event for the individual/unique user listed by Linux host.

0 Karma
Reply

dylan_yoder
New Member
‎03-09-2016 07:54 AM

Thanks that helped!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...