Advice on Multiple MAC/ISE users logged into the same machine

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

Post Flair (click to view more posts with a particular flair)

Search Support

Post Body

Posted this on Splunk Answers. Trying to come up with a way to log when multiple users are logged into the same machine simultaneously.

The sourcetypes I have are: Cisco ISE, Windows Security, and Active Directory.

The catch is we're primarily a MAC shop. My hope was to leverage Cisco ISE - a really fancy Radius-Like network authentication server - to capture Username and IP Addresses. Though things haven't gone quite as I'd hoped.

sourcetype="cisco:ise:syslog" (Framed_IP_Address!="...\\" AND Framed_IP_Address!="\\") (User_Name!="*-*-*-*-*-*" AND User_Name!="" AND User_Name!="anonymous")
| stats  values(User_Name) as Users, dc(User_Name) AS user_count by Framed_IP_Address
| sort  - user_count, Users
| table  Framed_IP_Address, Users, user_count

I was hoping someone could review the above line, and provide advice on how to better search for multiple users logged into the same IP Address.

Author

Account Strength

100%

Account Age

12 years

Verified Email

Yes

Verified Flair

Total Karma

34,354

Link Karma

3,056

Comment Karma

31,185

Profile updated: 1 day ago

Posts updated: 1 year ago

acebossrhino

Subreddit

r/Splunk

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.

Posted: 5 years ago
Reddit URL: View post on reddit.com
External URL: reddit.com/r/Splunk/comm...