Logontime logofftime

alipujaistopo · March 30, 2021, 3:46am

hello, I'm currently using winlogbeat for window server monitoring. how to i know logon and logoff time an user on windows server?

here's the example of splunk's report

andrewkroh · March 30, 2021, 3:09pm

The login and logoff times can be determined from two separate events:

You can correlate the two events based on the TargetLogonId field. Then compute the difference between the timestamps to get the duration for the session. The transform feature is good for this. It can create a new index that contains data similar to that report. Here's a quick example:

PUT _transform/windows-login-durations
{
  "source": {
    "index": [
      "winlogbeat-*"
    ],
    "query": {
      "bool": {
        "should": [
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "winlog.event_id": "4634"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          },
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "winlog.event_id": "4624"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          }
        ],
        "minimum_should_match": 1
      }
    }
  },
  "pivot": {
    "group_by": {
      "winlog.event_data.TargetLogonId": {
        "terms": {
          "field": "winlog.event_data.TargetLogonId"
        }
      },
     "user.name": {
      "terms": {
        "field": "user.name"
      }
    }
    },
    "aggregations": {
      "@timestamp.min": {
        "min": {
          "field": "@timestamp"
        }
      },
      "@timestamp.max": {
        "max": {
          "field": "@timestamp"
        }
      },
      "duration": { 
        "bucket_script": {
          "buckets_path": {
            "start": "@timestamp.min.value",
            "end": "@timestamp.max.value"
          },
          "script": "params.end - params.start"
        }
      }
    }
  },
  "frequency": "1m",
  "dest": {
    "index": "transform-windows-login-durations"
  },
  "settings": {
    "max_page_search_size": 500
  }
}

Then after you start the transform it will create data like this. You can then create a visualization for this data or export it.

GET transform-windows-login-durations/_search
{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 719,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "transform-windows-login-durations",
        "_id" : "ZTDkJSSfP1etbYyvhphqo5w7AAAAAAAA",
        "_score" : 1.0,
        "_source" : {
          "duration" : 49.0,
          "winlog" : {
            "event_data" : {
              "TargetLogonId" : "0x109266"
            }
          },
          "@timestamp" : {
            "min" : "2020-12-22T17:56:47.573Z",
            "max" : "2020-12-22T17:56:47.622Z"
          },
          "user" : {
            "name" : "elastic"
          }
        }
      },
      {
        "_index" : "transform-windows-login-durations",
        "_id" : "ZTBMl4QYXaD6jMxC0OJF6Ab2AAAAAAAA",
        "_score" : 1.0,
        "_source" : {
          "duration" : 82.0,
          "winlog" : {
            "event_data" : {
              "TargetLogonId" : "0x109c04"
            }
          },
          "@timestamp" : {
            "min" : "2020-12-22T17:56:47.626Z",
            "max" : "2020-12-22T17:56:47.708Z"
          },
          "user" : {
            "name" : "elastic"
          }
        }
      },
...

alipujaistopo · March 31, 2021, 2:57am

where i should create that? in dev tools or json input (create visualize) ?

warkolm · March 31, 2021, 2:58am

Dev tools would be the place.

system · April 28, 2021, 4:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.