Hello,
How could I track if a session is opened but not closed immediately and by track I mean implementing a rule to alert for a session longer than a second?
Apparently I don't have enough points to post the logs associated with this in a picture :(.
4/3/18 Apr 3 09:00:00 nwknjrhca1 sshd[31059]: pam_unix(sshd:session): session opened for user "x" by (uid=0)
Then there is a correspond event for the session being closed at the exact same time.
4/3/18 Apr 3 09:00:00 nwknjhca1 sshd[30997]: pam_unix(sshd:session): session closed for user "x"
Any help would be greatly appreciated!
Thanks!
index=main sourcetype=linux_secure user="x" | transaction pid startswith="session opened" endswith="session closed"| table _time user duration
So if I can somehow get this to show duration of greater than 2 seconds and report on that.....would be perfect.....
index=main sourcetype=linux_secure user="x" | transaction pid startswith="session opened" endswith="session closed"| table _time user duration
So if I can somehow get this to show duration of greater than 2 seconds and report on that.....would be perfect.....
Create an alert, and use this search:
index=main sourcetype=linux_secure user="x"
| transaction pid startswith="session opened" endswith="session closed"
| where duration>2
| table _time user duration
Set it to trigger a notification if the number of events is greater than 0.
My goodness I knew it would be easy....
Sigh