How to write a query when two users are logged in ...

vin02 · ‎08-02-2018

A user has created other user then logged in with this user from same terminal. How to write query for this use case?

DalJeanis · ‎08-02-2018

you need to ask your data center (whoever is asking for this) to identify what kinds of transaction they are interested in. For instance, in windows, the user creation event might be represented by a Windows event code 4724 or 624. Within Active Directory, it might be represented by 4720, 4722, 4724 and/or 4738. Th logon might be a 528 or 4624. It also might be ssh/putty or other remote logons.

On the other hand, on various linux machines, you will need the wording of the actual events. are they looking for su and sudo events, pam records, or something else?

If no one around you can tell you the format you are looking for, then you have to look for yourself.

Log off, log on, then look for the records in whatever index someone says they ought to be in. Here are some other suggestions in the answer to this one:

https://answers.splunk.com/answers/548689/is-it-possible-to-monitor-sudo-and-root-users-usin.html

here is some language that someone wrote to search out this kind of data. some of it may be useful to you.

https://answers.splunk.com/answers/617340/how-can-i-tie-together-windows-logon-and-linux-ssh.html

vin02 · ‎08-03-2018

user has created new user from splunk UI and logged in with new user in UI console.

somesoni2 · ‎08-02-2018

What logs you're searching on?

How to write a query when two users are logged in from the same terminal?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms