Filter Total time a user Logged in ( Log on to Log Off time ) to RDP of Windows Server

I want to know the total time a user logged in to Windows Server i.e. user log on to log off in a Data Table.

I am using the following configurations in Logstash :

input {
	beats {
		port => 5044
filter {
	if [type] == "wineventlog"   {
		geoip {
			source => "[event_data][IpAddress]"
output {
    elasticsearch {
    			hosts => "localhost:9200"
    			manage_template => false
    			index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    			document_type => "%{[@metadata][type]}" 

I am getting the output on Kibana and I have created the following dashboards :

I want Data Table of user's Login time , Logout time and Total time a user Logged in .

Apart from that I want to show the reason why the user Logged off . whether it is disconnected or logged off.

I didn't see any event_id:4779 in the logs and event viewer of Window Server ( even if I have disconnected the session forcefully by killing the process ).

Please help me to resolve this issue. I would be very grateful to ELK Team .

I think only a Terminal Server logged this event. But i'm not 100% sure. What you can do is to look for 4647 and 4643. See here

How I can achieve this in Kibana ?

There isn't a way to do this directly in Kibana.

A general method to do this is:

  1. When a logout event is received, lookup the matching logon event using the Logon ID contained in both events.
  2. Calculate the elapsed time between the two events.

I think it should be possible to setup Watcher to do this for you and index the results into a separate index (like a logon session index).

I am really glad you responded. I haven't used Watcher yet in my Project. Is Watcher compatible with ELK 5.4.X ?

How I have to filter the events in Watcher. Would you be more specific and help me to resolve this.

If you need anything, do let me know.

Watcher (aka Alerting) is part of X-Pack and it fully compatible. It does require a license after a 30 day trial.

There are probably a few ways to accomplish it. None of them are trivial. I've done something similar where a user wanted to identify periods of user logon inactivity that were greater than 30 days. For this we did a query for successful logon events, then used a terms aggregation on the username field to create buckets of logon events that were specific to a single user, then we used a scripted_metric to calculate the time between events.

You could do something similar. And you don't need watcher to test out the queries and aggregations. You'll want watcher to automate the process for you after you have the query working.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.