I simply will audit our Administrators on which Systems they are logged on right now.
but i cannot separate only EventCode 4625 Events who has no EventCode 4634 Event.
The major Problem here is that the EventCodes for Login and Logoff dealing with Logon_ID's
I will sort out every Logon Event (and Logoff Event) which has a specific Logoff Event.
first i tryed this way
index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-*
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0))
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null())
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())
| transaction fields="User" maxspan=-1
| eval Keep_Or_Not=if(LogonID_4624=LogonID_4634, "Keep", "Do_Not_Keep")
| search Keep_Or_Not="Do_Not_Keep"
| table _time, User, EventCode, Keep_Or_Not, LogonID_4624, LogonID_4634, Source_Network_Address, IP_RESOLVED, tag::app
| sort by User
then there was no success so i tried another query:
index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=server-evermann
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval logid=if(mvcount(Logon_ID)>1, mvindex(Logon_ID,1),mvindex(Logon_ID,0))
| eval LogonID_4624=if(EventCode="4624", mvindex(Logon_ID, 1), null())
| eval LogonID_4634=if(EventCode="4634", Logon_ID, null())
I thank you
... View more