Logontime logofftime

hello, I'm currently using winlogbeat for window server monitoring. how to i know logon and logoff time an user on windows server?

here's the example of splunk's report

The login and logoff times can be determined from two separate events:

You can correlate the two events based on the TargetLogonId field. Then compute the difference between the timestamps to get the duration for the session. The transform feature is good for this. It can create a new index that contains data similar to that report. Here's a quick example:

PUT _transform/windows-login-durations
{
  "source": {
    "index": [
      "winlogbeat-*"
    ],
    "query": {
      "bool": {
        "should": [
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "winlog.event_id": "4634"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          },
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "winlog.event_id": "4624"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          }
        ],
        "minimum_should_match": 1
      }
    }
  },
  "pivot": {
    "group_by": {
      "winlog.event_data.TargetLogonId": {
        "terms": {
          "field": "winlog.event_data.TargetLogonId"
        }
      },
     "user.name": {
      "terms": {
        "field": "user.name"
      }
    }
    },
    "aggregations": {
      "@timestamp.min": {
        "min": {
          "field": "@timestamp"
        }
      },
      "@timestamp.max": {
        "max": {
          "field": "@timestamp"
        }
      },
      "duration": { 
        "bucket_script": {
          "buckets_path": {
            "start": "@timestamp.min.value",
            "end": "@timestamp.max.value"
          },
          "script": "params.end - params.start"
        }
      }
    }
  },
  "frequency": "1m",
  "dest": {
    "index": "transform-windows-login-durations"
  },
  "settings": {
    "max_page_search_size": 500
  }
}

Then after you start the transform it will create data like this. You can then create a visualization for this data or export it.

GET transform-windows-login-durations/_search
{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 719,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "transform-windows-login-durations",
        "_id" : "ZTDkJSSfP1etbYyvhphqo5w7AAAAAAAA",
        "_score" : 1.0,
        "_source" : {
          "duration" : 49.0,
          "winlog" : {
            "event_data" : {
              "TargetLogonId" : "0x109266"
            }
          },
          "@timestamp" : {
            "min" : "2020-12-22T17:56:47.573Z",
            "max" : "2020-12-22T17:56:47.622Z"
          },
          "user" : {
            "name" : "elastic"
          }
        }
      },
      {
        "_index" : "transform-windows-login-durations",
        "_id" : "ZTBMl4QYXaD6jMxC0OJF6Ab2AAAAAAAA",
        "_score" : 1.0,
        "_source" : {
          "duration" : 82.0,
          "winlog" : {
            "event_data" : {
              "TargetLogonId" : "0x109c04"
            }
          },
          "@timestamp" : {
            "min" : "2020-12-22T17:56:47.626Z",
            "max" : "2020-12-22T17:56:47.708Z"
          },
          "user" : {
            "name" : "elastic"
          }
        }
      },
...
1 Like

where i should create that? in dev tools or json input (create visualize) ?

Dev tools would be the place.