Refine your search:

Return a set of events that occur after a specific event

0

I want to create a search that will return all of the logon failure events (based on a set of event IDs, lets say EventID 600,601,602) that occur after the last "Account Unlocked" event for a specific user.

For example, an event is logged anytime a user account is unlocked. Various events are also logged when a user fails to authenticate properly. After a certain number of failed logon attempts, an account lockout occurs.

I want to be able to specify a username and have the search go look for the last account unlock event (lets say EventID 500), then return any logon failure event (EventID 600, 601,601) that occurred for that user after the account unlock event.

asked 09 May '12, 23:55

jchampagne's gravatar image

jchampagne
9014
accept rate: 20%

2 Answers:
oldestnewestmost voted
1

This should give you a listing of the events for user XXXX in chronological order.

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602 userID=XXXXX| reverse

More generic (i.e. for all users) you can use the transaction command to group events by user;

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602|  
transaction userID startswith="EventID=500"

Hope this helps,

Kristian

link

answered 10 May '12, 00:49

kristian.kolb's gravatar image

kristian.kolb
10.1k615
accept rate: 33%

0

Kristian,

Thanks for your reply. I've been playing around with the transaction command this morning and am not finding success. Mainly because the event IDs I'm looking for are not in a sequence, so the startswith and endswith parameters don't seem to work for me.

For example, here is the query I am running:

source="WinEventLog:Security" <Replace with User Name> ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") OR ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") OR (EventCode=671 OR EventCode=4767 OR EventCode=4740 OR EventCode=644) | eval "Caller"=coalesce(Source_Workstation,Client_Address,Caller_User_Name) | eval "Account"=coalesce(User_Name,Logon_account,Logon_Account,User_ID,Security_ID,Target_Account_ID) | eval Description=coalesce(Error_Code_Description, KerberosFailureCode_Description,EventCodeDescription) | table _time, "Account", "Caller", EventCode, Description

This query returns a table of results for the user I specify within the timeframe specified. However, I'd rather see a table that begins with the most recent account unlock event (Actual Event Codes are: 4767 and 671) and ends with the most recent account lock event (4740 or 644). Within the timeframe of those events, I want to see all of the logon failure events for the user (4776, 680,675,672,4771).

Is that even possible in a search?

link

answered 10 May '12, 09:24

jchampagne's gravatar image

jchampagne
9014
accept rate: 20%

edited 10 May '12, 23:43

kristian.kolb's gravatar image

kristian.kolb
10.1k615
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,644
×537
×240

Asked: 09 May '12, 23:55

Seen: 572 times

Last updated: 10 May '12, 23:43

Related questions

Field extraction a problem with large events?

How do I search for a single specific event?

Exclude events which occur during a specific hour each day

On-demand tagging of a specific event?

How to return events centered within a time range?

Return recent version of event

My search for a field=value returns 0 events when I know there should be events returned. Why?

Copyright © 2005-2012 Splunk Inc. All rights reserved.