The query I wrote doesn't seem to work as expected. The time stamp is missing under the logon_time column next to the corresponding listed users and the users in the user column show many duplicate occurrences (example: 20+ root logons) instead of a single entry of the last logon of that account on that specific host.
sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password")
| stats list(user) as User, list(ruser) as "Remote User", list(latest(eval(if(action==success,_time, null())))) as logon_time by host
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| sort –count
↧