Splunkers... I have dug thru the Answers Area for quite some time, and have not found what I am looking for. I am thinking that the solution would be in some form of transaction, but I am a bit of a neophyte with Splunk and am having difficulty developing a solution.
So.. I am hoping that y'all might be able to help me.
Problem: I have users who are likely sharing their VPN accounts to access my network. My assumption is that ANY user who is logged more than once over the same time period would be sharing accounts
I want to identify those users, and report who they are, how often the accounts are shared
My logging is from a Cisco VPN Concentrator and the logging looks like
Oct 8 15:30:19 XXX.XXX.com local0:notice 800067: 2010 Oct 08 15:28:56.460 EDT -4:00 %AUTH-5-28: RPT=138359: xxx.xxx.xxx.xxx: User [domain1\tannesh] Group [remotentusers] disconnected: Session Type: IPSec/UDP Duration: 0:00:50 Bytes xmt: 749392 Bytes rcv: 112960 Reason: User Requested
Oct 8 15:29:58 xxx.xxx.com local0:notice 800038: 2010 Oct 08 15:28:35.840 EDT -4:00 %IKE-5-52: RPT=139484: xxx.xxx.xxx.xxx: Group [remotentusers] User [domain1\tannesh] User (tannesh) authenticated.
My closest Failed Attempt looks like
eventtype="VPN LogData"| search authenticated OR disconnected |rex field=_raw "(^.*\sUser\s\[\w+\]\sUser\s\(\w+\)\s)(?<CMD>.*)(\..*$)" | rex field=_raw "(^.*\[remotentusers\]\s)(?<REZULT>.*)(Session\sType.*$)" |rex field=_raw "(^.*Duration:\s)(?<DURA>.*)(\s+Bytes\sxmt:.*$)" |transaction DURA CMD maxpause=5m
Thanks..
Let's assume that you have a field extracted called "User". Then you can just use transaction with startswith and endswith. Any duplicate will have more than two events because there will be two authenticates before the first disconnect. So, for example:
... | transaction User startswith=authenticated endswith=disconnected | search eventcount > 2
This seems to work... Thanks very much