cmdReporter Wiki

Open navigation

SSH Logins and Activity

Key Fields


IP address of the remotely controlling computer. Any actions done while in an ssh session will be tagged with the remote IP. Any local actions will have a value of

Filter and Refinement Fields

host_info.host_name (or host_uuid)

Filter and sort events based on which host they occurred on


Follow a process execution tree linked together with a single thread_uuid. "What did that script just do" is a common question easily answered by searching the script's thread_uuid

Interesting Events


Generated any time a new user session is created


Generated any time a user successfully connects to the locally listening ssh service

Example Searches 

// Searches are in Splunk's search format

All events with a remotely controlling computer:

NOT subject.terminal_id.ip_address=

exec_chain.thread_uuid  and child processes associated with each originating application.

(index="cmdreporter") parent_process="*" NOT subject.terminal_id.ip_address= 
| eval Destination=coalesce(app,'path.1','subject.process_name')
| stats values(Destination), values(exec_chain.thread_uuid), values(host_info.host_name) count by parent_process
| rename values(Destination) as Application, parent_process as "Originating App",values(exec_chain.thread_uuid) as "Thread UUIDs", values(host_info.host_name) as Hosts
| table count, Hosts, "Originating App" "Thread UUIDs", Application
| sort count

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.