![]() Now I need to connect this with an event from xenapp:65:session: Now I have the start time of the VPN connection as well as the endtime for disconnected sessions (and obviously no endtime for still connected sessions). User,src,starttime,latest(realm),latest(State),latest(elapsed_secs),latest(endtime) | stats first(starttime) AS starttime latest(realm) latest(State) latest(elapsed_secs) latest(endtime) BY user,ExternalIP ![]() | eval endtime=if(State = "Connected", null(), starttime+duration) | eval ExternalIP = src | eval elapsed_secs = case(State = "Connected" AND NOT duration = 0, now()-starttime, State = "Connected" AND duration = 0, now()-_time, State = "Disconnected" AND NOT duration = 0, duration ) | eval State = if(closed_txn = 1, "Disconnected", "Connected") Transaction user src mvlist=t startswith="eventtype=juniper_sa_authentication_success" endswith="eventtype=juniper_sa_authentication_logout" keepevicted=t I am able to create a transaction on the first sourcetype to show the duration and whether a VPN session is actie or not with the following search: The user field is the same throughout the whole chain of events. Fields: user,BrowserName,ConnectTime,LogOnTie,SessionId,ServerName.xenapp:65:session - events are generated when a user opens an application.juniper_sa_log - this is the first step where users authenticate.It consists of the following sourcetypes: The idea is to be able to show the src field from juniper_sa_log as it contains the external IP address of the client and display that alongside the session information from Citrix, preferably inside the same time range as the connect/disconnect time of the juniper_sa_log event I'm working on creating a dashboard that is supposed to show a flow of events in Splunk for VPN logins and Citrix Sessions opened.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |