Security

How do I track a user's login session from VPN to Windows server(s)?

mikeyemane
New Member

I would like to to be able to track a users login session from VPN and then login to a Windows server(s). User login scenario: VPN login --> Windows Server Login --> Windows Server Login

VPN Search --> userid=user.id

index=x "Login succeeded" | rex "\]\sGDI\\\(?<userid>[^\(]+)"

Windows Search --> user=user.id

index=wineventlog sourcetype="WinEventLog:Security" Account_Name!="*$" AND Account_Name!=SYSTEM AND EventCode=4624 AND user!="ANONYMOUS LOGON"

I would like to create a table that shows their login time at the VPN, login time and process(s) started on the Windows servers. I can do this separately but how do you do combine the search?

Thanks.

0 Karma

DEAD_BEEF
Builder

Hi there, hoping this gets you started. I think what you are trying to do is present a table that has information from your VPN logs AND your Windows server logs. Thankfully, it appears that you can join the two logs based on the userid that you are extracting via rex. I rewrote your NOT statements as != is different than NOT and think you want the latter. You can read up on the nuances between them here. Either way, perhaps this puts you on the path to your solution.

This query searches your VPN logs and extracts the userid. It then passes it your Windows server logs and searches based on that userid. We then join the Windows server logs that we care about with VPN logs and match them together based on a common userid (when they match). Finally, once they are joined you can reference the fields from both the VPN index and Windows server index.

Lastly, I would recommend two things:
1. That you create a field extraction for your userid that way you can remove it from the search. This can be done via Settings > Fields > Field extractions > Add new. For this field to appear for other users, ensure it has the proper permissions once created.
2. That you create an event type, Win_User_Logon to simplify the query (remove all the NOT filtering from the main query by using it via the event type). This can be done via Settings > Event types > Add new.

index=wineventlog sourcetype="WinEventLog:Security" NOT (Account_Name="*$" OR Account_Name=SYSTEM OR EventCode=4624 OR user="ANONYMOUS LOGON") 
    [ search index=x "Login succeeded" 
    | rex "\]\sGDI\\\(?<userid>[^\(]+)" 
    | fields userid ] 
| join userid overwrite=f 
    [ search index=x "Login succeeded" 
    | rex "\]\sGDI\\\(?<userid>[^\(]+)" 
    | eval login_time = _time 
    | convert ctime(login_time) ] 
| stats count by userid login_time winLogonTime processes

Assuming you also implmeneted my two reccomendations, you could reduce this search to:

index=wineventlog eventtype="Win_User_Logons"  
    [ search index=x "Login succeeded" 
    | fields userid ] 
| join userid overwrite=f 
    [ search index=x "Login succeeded" 
    | eval login_time = _time 
    | convert ctime(login_time) ] 
| stats count by userid login_time winLogonTime processes
0 Karma

dimitryz
Path Finder

Hi,
you can use first search as sub search to the second search.

Something like that :

index=wineventlog sourcetype="WinEventLog:Security" Account_Name!="*$" AND Account_Name!=SYSTEM AND EventCode=4624 [search index=x "Login succeeded" | rex "]\sGDI\(?[^(]+)"|stats count by user|fields - count|format] |table *

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...