- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Tracking User Activity Across applications without...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to track user activity from vdi login to the use of a shared account to log into an application. For example, user=Tim logs into his VDI session VDI-XXXX at 9am, then opens up application, sample_app, and logs in as user=admin. How do I bring the two events into one transaction? In this case, assume that we have the application account name only, admin and that the vdi user name can change.
I can track general logons as follows as a catchall:
index="*" user="*" "*logged*"
I've attempted to use a subsearch to narrow it down to just the application usage and hopefully the vdi session that led to the application logon but those searches come back blank.
Sample searches tried:
index=* user=* "*logged*" [search sourcetype=sample_app user=admin "*logged*" | fields + user, computer, event] | table _time, user, computer, event | sort _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.
|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user
Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I found a better way to complete this query, using a multisearch. See updated query below. It searches for VDI session computer utilizing a inputlookup searching for expected users of the shared account. The second search is just checking for login activity for the shared account along for the application.
|multisearch [search index=* *logged* ComputerName=pci-vdi* [|inputlookup account_users |fields + user] |fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search sourcetype=application user="sharedaccount" *logged* action=success | fields + user,host, Msg, app] | eval computer= coalesce(ComputerName, host), event=coalesce(name, Msg), Hour=strftime(_time, "%B %d %Y, %I:%M:%S %p"), user=upper(user) | dedup computer event |where computer!=" " | table Hour, user, computer, app,event | sort Hour user
Now I need to figure out how to populate the searches only when search 2 finds a hit. Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index=internal sourcetyp=* | stats count by clientip,user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Samples events are below:
VDI logon events:
"An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: LB\DEV1$
Account Name: DEV1$
Account Domain: LB
Logon ID: 0x894B5E95
Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}
Process Information:
Process ID: 0x0
Process Name: -"
Application logon sample: (these differ per application) - Use of the root account in linux
"su: pam_unix(su-l session): session opened for user root by (uid-=0)"
For VDI type: VMWare (unsure which version though).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did I reformat your text correctly? You have neglected to show _time which is really the key here. How close together are these events in time (or should I say "at worst, how far apart are the matching events from eachother in tme")? And is it always 1-to-1 for pairing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to showing some sample events, it might also be useful to know which VDI system you are using in case there's some additional or different logs you can enable that will tell you this information directly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are going to have to show some sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Samples events are below:
VDI logon events:
"An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: LB\DEV1$
Account Name: DEV1$
Account Domain: LB
Logon ID: 0x894B5E95
Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}
Process Information:
Process ID: 0x0
Process Name: -"
Application logon sample: (these differ per application) - Use of the root account in linux
"su: pam_unix(su-l session): session opened for user root by (uid-=0)"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
