Windows Dashboard showing Who (was) logged on to ?

Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, and how they logged on. Accounts for remote logins, local logins, and unlocks/reconnects accounted for but not Type 3 (network logons for shared file access etc).

Time picker set so you can alter the time frame on the fly.

No addons required, should work with standard Splunk with Windows event code 4624

<form theme="dark">
<label>Who Logged On?</label>
<fieldset submitButton="false">
<input type="time" token="timeFrame">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="HostName">
<label>Hostname</label>
</input>
<input type="text" token="Hostname2" searchWhenChanged="true">
<label>Hostname #2</label>
</input>
<input type="text" token="Hostname3">
<label>Hostname #3</label>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$HostName$ 
| rex "New Logon:\s+Security ID:\s+(?&lt;account&gt;.*)" 
| eval Type=case(Logon_Type=10,"Remote Logon",
Logon_Type=2,"Local Logon",
Logon_Type=7,"Screen Unlock") 
| table _time host Type account 
| sort _time desc</query>
<earliest>$timeFrame.earliest$</earliest>
<latest>$timeFrame.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<search>
<query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$Hostname2$ 
| rex "New Logon:\s+Security ID:\s+(?&lt;account&gt;.*)" 
| eval Type=case(Logon_Type=10,"Remote Logon",
Logon_Type=2,"Local Logon",
Logon_Type=7,"Screen Unlock") 
| table _time host Type account 
| sort _time desc</query>
<earliest>$timeFrame.earliest$</earliest>
<latest>$timeFrame.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<search>
<query>source=wineventlog EventCode=4624 (Logon_Type=10 OR Logon_Type=7 OR Logon_Type=2) host=$Hostname3$ 
| rex "New Logon:\s+Security ID:\s+(?&lt;account&gt;.*)" 
| eval Type=case(Logon_Type=10,"Remote Logon",
Logon_Type=2,"Local Logon",
Logon_Type=7,"Screen Unlock") 
| table _time host Type account 
| sort _time desc</query>
<earliest>$timeFrame.earliest$</earliest>
<latest>$timeFrame.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Share This:
Tagged:

Comments

    1. SplunkNinja

      Armando,
      You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default.

      Reply
  3. Rayner

    I tried it .. not working.. I just added index=main at the beginning

    Giving the below error

    .
    Error in ‘search’ command: Unable to parse the search: Comparator ‘<' has an invalid term on the left hand side: index=main.
    The search job has failed due to an error. You may be able view the job in the Job Inspector.

    can someone help.

    Reply
    1. Rich Galloway

      Where did you insert ‘index=main’? It should be at the beginning of each , not at the beginning of the code. If you could provide more context then someone may be able to help.

      Reply

Leave A Comment?