...Working on a helpdesk trying to walk a user through telling you their IP or computer name so you can remote in to help them.
...Working in infosec. trying to complete a system access investigation, where you need to know who had an IP at a specific time.
...Working in Higher Ed., trying to justify if you need more computer labs based on use of your current labs.
...Trying to track down a file that may have been saved on the C:\ of a computer in a common use lab environment, and your customer forgot which PC it might be on.
...Frustrated by trying to determine if the windows security event log is an actual logon or something else, because they all kind of look the same.
...You have a gajillion PCs with horrible names that don't mean anything and you would like to organize them into logical AD OU's
We've all been there...
How it works
FWNUA runs via windows login scripts or GPO. When a user logs on or off a system it records details of the session and sends it to Splunk, via syslog.
FWNUA collects the currently logged on Username, Domain Name, Computer/Host Name, Current IP address, and if the event is a logon, or logoff.
FWNUA tells you who is behind the keyboard and what IP was attached to it at a given point in time, all from a single logging source. (A feat that is nye impossible to accomplish with any single windows event log source)
Challenges I ran into
The biggest problem I ran into while trying to make FWNUA shareable and easy to use, was just that. Most open source projects have an extremely steep learning curve to implement. Most Windows admins don't know linux and this made developing and implementing things commonly done on LAMP difficult for most.
Our project started off life as a Visual Basic executable with a Perl cgi web interface. We quickly changed the project to a ANSI C executable with a more robust PHP interface, but it was slow and clunky. (It was also an isolated data store.) At this time we did everything flat file and there were writing operations happening over the network to network shares. (horrible programming practices on our part)
Several years later I got fed up and transitioned the project to what it should have been all along... A simple exe component with direct syslog notification capabilities. The only question now, was where to send the data?
A friend of mine turned me onto Splunk and the project has never looked back. It was a match made in heaven. When I found Splunk, it made my project so much more easy for people to use effectively. I no longer needed to focus my coding efforts on web interfaces or ways to parse data. I could focus on the collection of the data and the type of data I wanted to collect. Splunk allows my project to shine and allows our users to make FWNUA data even more useful by indexing with other data that can make it even more useful.
People who find my project for the first time are now being turned onto Splunk at the same time. I think it's good for both of us.
Accomplishments that I'm proud of
FWNUA has been downloaded over 6,000 times and is in use at schools and companies all over the world. I've even received reports from small companies who use it for time tracking their employees. It's been useful every place I've ever worked and I use it daily.
What I learned
Having clear and concise log data makes all the difference in the world. Splunk just makes it infinitely more useful.
What's next for FWNUA - Free Windows User Accounting
I plan to re-code our collection tool to gather even more snippets of information in the future.
Splunk is my answer machine. FWNUA is just metadata for the answers. The more you feed the Splunk beast, the more problems you can solve with it. FWNUA is a critical part of our security and IT business operations and I don't see that changing any time soon.