I would like to to be able to track a users login session from VPN and then login to a Windows server(s). User login scenario: VPN login --> Windows Server Login --> Windows Server Login
VPN Search --> userid=user.id
index=x "Login succeeded" | rex "\]\sGDI\\\(?[^\(]+)"
Windows Search --> user=user.id
index=wineventlog sourcetype="WinEventLog:Security" Account_Name!="*$" AND Account_Name!=SYSTEM AND EventCode=4624 AND user!="ANONYMOUS LOGON"
I would like to create a table that shows their login time at the VPN, login time and process(s) started on the Windows servers. I can do this separately but how do you do combine the search?
Thanks.
↧