- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: splunk search for users logging onto servers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk search for users logging onto servers
Hi,
I have deployed splunk to log data of users who are logging onto servers (unix and windows). I want to create a report that shows users who are not permitted to log onto those servers. I have been given a list of users which are permitted to log on so wanted to create a search which shows user logging on except the permitted users. I am trying to use the following:
- | stats count by User
Please can someone advise what commands to use to included the list of permitted users i have and to exempt them from the search result?
Regards,
Chetan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks the following worked:
EventCode=18453 | search NOT [ | inputlookup allowed_users.csv ] | stats count by User
however the header of the CSV file should be User to match the syslog message.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yuou can rename the field name in subsearch. That way you can keep your csv headers same as before.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
,Hi,
thanks for your assistance. is there any particular place the allowed_user.csv would need to be? for example if i am on a Terminal Server and running Splunk HTTP can that csv be somewhere on that terminal server and i direct the lookup to it?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that your user.csv must be placed in $SPLUNK_HOME/ etc/system/lookups
on your splunk server and you need to add some stanzas to the $SPLUNK_HOME/ etc/system/transforms.conf
somthing like that:
[allowed_users]
filename=user.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming you have the list of permitted users and configured it as lookup, say allowed_users.csv)
your base search giving all users | search NOT [ |inputlookup allowed_users.csv | table User] | stats count as LoginCount by User
This should show you Login count for the users which are not present in the allowed_users.csv which users which are allowed.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
