Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert that triggers when a user successfully logs in to a specific host?

JasonGY
New Member
‎05-23-2016 03:44 PM

How would I create an alert that triggers when anyone logs in to a specific host? Or how do I configure an alert that triggers each time a specific user id logs on to any host?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-23-2016 05:30 PM

Hi JasonGY,

from the side above and a bit of modification you'll get this for successful login by users to specific host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon") 
| stats count by status, Account_Name, host

Or all login by specific user to any host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") 
| stats count by status, Account_Name, host

This is all un-tested, so modify it to your needs and save it as alert.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-23-2016 05:30 PM

Hi JasonGY,

from the side above and a bit of modification you'll get this for successful login by users to specific host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon") 
| stats count by status, Account_Name, host

Or all login by specific user to any host :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") 
| stats count by status, Account_Name, host

This is all un-tested, so modify it to your needs and save it as alert.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 05:56 PM

Mus - this is really great. The first one works very well. In the second one: I do not see where I can enter in criteria for a specific username to alert on. Please advise.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-23-2016 06:00 PM

Just add the specific user name into the base search :

source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=* Account_Name=foo
 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 06:59 PM

That worked, thank you again!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-23-2016 07:03 PM

Great, please accept the answer in this case 😉

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-23-2016 04:23 PM

What logs are you capturing?

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 04:40 PM

Server logs, windows event security logs from AD.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-23-2016 04:45 PM

This site has a pretty good collection of Splunk queries for Security logs. See if you find anything that you can use.

http://gosplunk.com/category/wineventlogsecurity/

0 Karma
Reply
Solved! Jump to solution

JasonGY
New Member
‎05-23-2016 04:50 PM

That site has some really great content, but still nothing specific to my question. I can't see how to alert on successful logons to a specific hosts or all logons for a specific account to any host.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...