Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find computer availability

vikashnimoyle
New Member
‎05-29-2017 10:40 PM

index="windows_logins_test" LogName="Security" (EventCode=4624 AND EventCode!=4647) |table ComputerName

when I set this to a 1 min window and login I can see that an event has occurred, I leave the computer logged in and the next time this runs there is no event registered.

What I need to be able to do is check every minute and see all pcs that have logged in and being used, this just seems to log only the event of a successful login not also show that the pc is being used

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-30-2017 05:41 AM

What you may have noticed is that there's simply no direct way to confirm, at least via things like security logs, that a PC is still on and in use. This is not really a Splunk-specific problem, but shows up in all sorts of cases and with all sorts of products.

There are partial solutions (And I'm sure others will come up with all sorts of creative ways, maybe one of those will work for you). Here's some notes about this, and perhaps some ideas.

First, how would you define "Logged in to and in use?" I often won't click a button or type a key for a minutes at a time on my PC at work. So, maybe I'm logged into it, but I can't say for sure if it's in use by anything the system is recording or logging. Without a keylogger or any other special software, I'm not sure there's a good way to tell it's in use. So I guess we'll have to assume that by "in use" means "Powered on, with someone logged into it, and without a logoff, sleep, hibernate, or 'lock desktop' event as the latest thing."

Second, by the way, one complication is when someone powers off the computer via inappropriate means (pulling the plug). How would windows "record" the fact that one moment it's working, the next it has no power and is off? It does so at next boot with a special entry saying "The last power off was unexpected". But in the meantime you just have a computer that doesn't respond. This may or may not be a concern.

Third, You've already found the security log logs things, but doesn't just log things to log them. Nowhere, for instance, does it just make an entry "Yo, User X is still logged in and 'doing things'". Indeed, how would you define "doing things?" What a shame, though I guess everyone complains about how chatty Microsoft's event logs are already...

Now, to some possible partial solutions:

A sort-of solution to the "logged in" is simply that there was no log off and no "going to sleep" or "lock desktop". There's a handful of events for logoff and sleep and whatnot that get logged, you could search for those. Hint: they're event id 4634 and others. See this link on audit information in Windows for more. Poke through the Logon, Logoff, and Other Logon/Logoff Events sections.

You could also make a scripted input (or indeed, just a batch file that runs every minute then pick up the output of that) using something like the query user command.

There are other solutions, I think the above information combined with a little searching of the interwebs may get you more information.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-16-2017 12:03 PM

vikashnimoyle,

If this resolved your issue, could you please mark it Accepted?

If it did not or you have more specific questions on those event codes or how to figure if a particular session is still active, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...