Reply

"End Host History & Users" report for NIOS 7.3.200

[ Edited ]
Adviser
Posts: 154
2314     2

This report is based on a new NIOS's 7.3.200 "End Host History" report/index and in addition it contains information about a user. This report is only for NIOS 7.3.200 and later.Screen Shot 2016-05-11 at 12.05.42.png

 

<form>
  <label>End Host History &amp; Users</label>
  <description></description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="network_view">
      <label>Network View</label>
      <choice value="All">All</choice>
      <search>
        <query>source=ib:discovery:end_host_activity index=ib_discovery
               | stats count by end_host_network_view</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>end_host_network_view</fieldForLabel>
      <fieldForValue>end_host_network_view</fieldForValue>
      <change>
        <condition value="All">
          <set token="network_view_str">
            <![CDATA[ ]]>
          </set>
        </condition>
        <condition value="*">
          <set token="network_view_str">end_host_network_view = "$value$"</set>
        </condition>
      </change>
      <default>All</default>
    </input>
    <input type="text" token="mac_address">
      <label>MAC Address</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="mac_address_str">
            <![CDATA[ ]]>
          </set>
        </condition>
        <condition value="*">
          <set token="mac_address_str">end_host_mac_address = "$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="ip_address">
      <label>IP Address</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="ip_address_str">
            <![CDATA[ ]]>
          </set>
        </condition>
        <condition value="*">
          <set token="ip_address_str">end_host_ip_address = "$value$"</set>
        </condition>
      </change>
    </input>
    <input type="text" token="first_discovered">
      <label>First Seen (YYYY-MM-DD HH:MM:SS)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="first_discovered_str">| noop</set>
        </condition>
        <condition value="*">
          <set token="first_discovered_str">| where (end_host_first_discovered &gt;= strptime("$value$", "%Y-%m-%d %H:%M:%S"))</set>
        </condition>
      </change>
    </input>
    <input type="text" token="last_discovered">
      <label>Last Seen (YYYY-MM-DD HH:MM:SS)</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="last_discovered_str">| noop</set>
        </condition>
        <condition value="*">
          <set token="last_discovered_str">| where (strptime("$value$", "%Y-%m-%d %H:%M:%S") &gt;= end_host_last_discovered)</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>source=ib:discovery:end_host_activity index=ib_discovery sourcetype=ib:reserved2 $network_view_str$                  $mac_address_str$                  $ip_address_str$                  $first_discovered_str$                  $last_discovered_str$                                 | fillnull value=""  | stats latest(end_host_last_discovered) as end_host_last_discovered by end_host_ip_address, end_host_mac_address, end_host_name, end_host_network_view, end_host_first_discovered, switch_interface, switch_ip_address, switch_model, switch_name, switch_os_version, switch_vendor, switch_vlan | join end_host_ip_address type=left max=0 [search sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security  |eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60), status=if((status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE) &lt; now()),"TIMEOUT",status), end_host_ip_address=ip_address, UName=if(sourcetype=="ib:reserved1",user_name."@".domain,""), timeout_time=last_activeEpoch+TIMEOUT_VALUE , login_time=strptime(login_time,"%Y-%m-%d %H:%M:%S")  | stats latest(timeout_time) as timeout_time by end_host_ip_address, UName, status, login_time]  | where (end_host_first_discovered-86400&lt;=login_time and end_host_last_discovered+86400&gt;timeout_time) OR isnull(login_time) | stats values(UName) as user_name by end_host_last_discovered, end_host_ip_address, end_host_mac_address, end_host_name, end_host_network_view, end_host_first_discovered, switch_interface, switch_ip_address, switch_model, switch_name, switch_os_version, switch_vendor, switch_vlan            | eval end_host_last_discovered=strftime(end_host_last_discovered,"%Y-%m-%d %H:%M:%S"), end_host_first_discovered=strftime(end_host_first_discovered,"%Y-%m-%d %H:%M:%S")             | rename end_host_mac_address as "MAC Address" end_host_ip_address as "IP Address" end_host_first_discovered as "First Seen" end_host_last_discovered as "Last Seen" end_host_name as Hostname end_host_network_view as "Network View" switch_name as "Network Device Name" switch_vendor as "Network Device Vendor" switch_model as "Network Device Model" switch_os_version as "Device OS Version" switch_ip_address as "Network Device IP Address" switch_interface as "Network Device Interface" switch_vlan as "Vlan"  user_name as "User Name" login_time as "User First Seen" logout_time as "User Logout Time" last_active as "User Last Seen"  status as "User Status"               | table "MAC Address" "IP Address" Vlan Hostname "User Name" "First Seen" "Last Seen" "Network View" "Network Device Name"  "Network Device Interface" "Network Device IP Address" "Network Device Vendor" "Network Device Model"                | sort -_time +str("MAC Address")</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <progress>
            <condition>
              <unset token="endhost_ip"></unset>
            </condition>
          </progress>
        </search>
        <option name="rowNumbers">true</option>
        <option name="drilldown">row</option>
        <option name="wrap">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <drilldown>
          <condition field="*">
            <set token="endhost_ip">$row.IP Address$</set>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table depends="$endhost_ip$">
        <title>Users Login History</title>
        <search>
          <query>sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security                  $endhost_ip$ | eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60)                  | eventstats latest(last_activeEpoch) as l_last_active by user_name, ip_address, login_time                  | eval status=if((last_activeEpoch=l_last_active) AND (status=="ACTIVE") AND ((last_activeEpoch+TIMEOUT_VALUE) &lt; now()),"TIMEOUT",status)                  | sort -_time                  | rename timestamp as Time, user_name as "User Name", login_time as "First Seen/Login Time", logout_time as "Logout Time", last_active as "Last Seen/Logout Time", last_updated as "Last Updated", ip_address as "IP Address", domain as "Domain", status as "User Status",                  | table "Last Updated" "User Name" "Domain" "IP Address" "First Seen/Login Time"  "Last Seen/Logout Time" "User Status"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

BR,

Vadim

Showing results for 
Search instead for 
Do you mean 

Recommended for You