Splunk Enterprise Security

Tracking Session Open/Closed

Hegemon76
Communicator

Hello,

How could I track if a session is opened but not closed immediately and by track I mean implementing a rule to alert for a session longer than a second?

Apparently I don't have enough points to post the logs associated with this in a picture :(.

4/3/18 Apr 3 09:00:00 nwknjrhca1 sshd[31059]: pam_unix(sshd:session): session opened for user "x" by (uid=0)

Then there is a correspond event for the session being closed at the exact same time.

4/3/18 Apr 3 09:00:00 nwknjhca1 sshd[30997]: pam_unix(sshd:session): session closed for user "x"

Any help would be greatly appreciated!

Thanks!

0 Karma
1 Solution

Hegemon76
Communicator

index=main sourcetype=linux_secure user="x" | transaction pid startswith="session opened" endswith="session closed"| table _time user duration

So if I can somehow get this to show duration of greater than 2 seconds and report on that.....would be perfect.....

View solution in original post

0 Karma

Hegemon76
Communicator

index=main sourcetype=linux_secure user="x" | transaction pid startswith="session opened" endswith="session closed"| table _time user duration

So if I can somehow get this to show duration of greater than 2 seconds and report on that.....would be perfect.....

0 Karma

elliotproebstel
Champion

Create an alert, and use this search:

index=main sourcetype=linux_secure user="x" 
| transaction pid startswith="session opened" endswith="session closed"
| where duration>2
| table _time user duration

Set it to trigger a notification if the number of events is greater than 0.

0 Karma

Hegemon76
Communicator

My goodness I knew it would be easy....

Sigh

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...