All Apps and Add-ons

stats/eventstats - how to track open session when closed session entry doesnot have user id

lakshman239
SplunkTrust
SplunkTrust

I have the following logs from my Linux /var/log/secure

15/03/2016 10:30:20 server1 session opened for user root by joe
...
15/03/2016 10:40:20 server1 session closed for user root

...
15/03/2016 10:50:25 server1 session opened for user root by dany

If we don't see any 'session closed for user root' for more than 30mins, we want to alert operations team. As 'session closed for user root' doesn't have 'joe' or 'dany', using evenstats ..... by 'user' doesn't count the closed session.

I want to be able to find out no.of open and closed session and alert providing, _time, host name, and user whose session is open for more than 30mins without any actions/activities on the server.

Any thoughts/suggestions please.

sundareshr
Legend

Try one of these

... | rex "(?<action>opened|closed)" | reverse | streamstats count as grp by action | stats values(action) as action latest(_time) as end earliest(_time) as start by grp | where mvcount(action)<2 OR end-start>1800

OR

... | transaction server startswith=opened endswith=closed max_span=1800  keepevicted=t | where closed_txn=0

instead of max_span=1800, you could also try max_events=2

lakshman239
SplunkTrust
SplunkTrust

Thanks Sundaresh, that helps.. Thinking aloud, after the user su as root, if he/she continuously work on some activities using root account, the session will be active, even after 30mins and we may not get 'closed'. So, in this case, we shouldn't send out an alert, as the session is still active....

any thoughts?

0 Karma

sundareshr
Legend

In the first query, you can add values(user) and where NOT (user="su") to filter those out. In the second search, | where NOT mvfind(user, "su") (or something like that)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...