| transaction Session_ID, User, Source_Network_Address startswith=( ( Message="*logon succeeded*") OR (Message="*reconnection succeeded*") ) endswith=( ( Message="*logoff succeeded*") OR (Message="*Session has been disconnected*") ) | eval User = mvindex(split(userstring,"\\"),1) | eval Domain=mvfilter(NOT match(Domain,"NOT_TRANSLATED") ) | eval Domain = mvindex(split(userstring,"\\"),0) | eval Message = replace(Message,"+", " ") RDP Completed Sessions: index=main source="wineventlog:microsoft-windows-terminalservices-localsessionmanager/operational" NOT Message="*arbitration*" NOT Message="Session *" host="" I have yet to test whether it also logs “Local” console sessions but I think it does. Once you have logs rolling in for the above source, you can use the below search queries to show “completed” or “currently running” RDP sessions. #$SPLUNKPATH/apps/Splunk_TA_windows/local/nf To get it running, add the following stanza to your nf. The better approach is to monitor the TerminalServices-LocalSessionManager -> Operational logs. Generally the Windows Security Logs have a decent bunch of information and can be monitored by default using the Splunk UF and the Splunk Add-On for Windows but there is a major pain when it comes to corelating Logon IDs with the actual Source IP Address of the incoming RDP connection and also differentiating local console sessions from RDP sessions. Ofcourse you need administrative priviliges for the user running the powershell session and the installer MSI file needs to be accessible in the provided location (Network paths can also be used) msiexec.exe /i \temp\splunkforwarder-7.2.0-圆4.msi DEPLOYMENT_SERVER=":8089" RECEIVING_INDEXER=":9997" AGREETOLICENSE=Yes SPLUNKPASSWORD="PutYourPasswordHere" /L*v \temp\logfile.txt Monitoring RDP Login Users with Source IP This little one-liner can be used to install the Splunk Universal Forwarder (UF) on Windows Systems supporting powershell. Install Splunk UF on Windows via Command Prompt/PowerShell: apk add -update alpine-sdkĪfter installing the above, I could compile and install the NetXMS Agent component with: tar -xzvf netxms-2.2.10.tar.gzĪfter successful installation you can just modify your NetXMS Agent config at /etc/nf (or copy it over from one of your other linux boxes) and launch the agent as a daemon using: nxagentd -D Categories tech-stuff Tags alpine-linux, compiling, linux, monitoring, netxms, NMS, nxagentd 1 Comment ![]() Here is the quick set of dependent packages and libraries I needed to install to be able to compile the NetXMS agent for my Alpine Linux box. The source-code download link for NetXMS v2.2.10 (latest at the time of this writing) is at I needed to use the NetXMS agent on my Alpine Linux system which I am using as a utility linux server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |