Splunk GUI User Audit needed for LogIn and LogOut

mbasharat — Wed, 30 Sep 2020 02:19:16 GMT

Hi,

I have a need for auditing Splunk GUI Users for auditing. Our configuration is with LDAP and SSO. Therefore, _audit and _internal indexes won't work so I am using below REST unless advised otherwise.

I need User LogIn data for time frame in AGe section in below SPL. This should also include the users who have not LoggedIn/Used Splunk.

Fields to include:

User Name
User Email
User Role
Time Accessed/Log In
Time Accessed/Log Out
Total Logged Session Duration
Last LogIn
Splunk Server
Client/User IP
Time Passed/Age since Last LogIn

REST used:
| rest /services/authentication/httpauth-tokens
| search userName!="splunk-system-user"

| table splunk_server, id, searchId, userName, timeAccessed

_audit and _internal indexes used:

Sample timestamp value: 09-19-2019 07:08:41.775
Sample _time value: 2019-09-19 03:08:41.775
(There is a difference noticed between timestamp and _time. It might be because of actual occurrence of event v/s the time Splunk data ingestion/event time. Also need assistance stripping these fields as appropriate)

index=_audit sourcetype=audittrail "action=login attempt"
| rename info as status

| replace succeeded with success in status
| replace failed with failure in status
| replace "login attempt" with login in action

| stats count by user host action status timestamp, _time

| append [search index=_internal sourcetype=splunk_web_service "action=login attempt"
| stats count by user host action status timestamp _time]

| join type=OUTER user [search index=_internal (component=UiAuth OR sourcetype=splunk_web_service)
| stats first(host) as host by user]

| eval age=ceiling((now()-strptime(_time,"%Y-%m-%d %H:%M:%S.%3N"))/86400)
| eval Session_Age=case(
age<30,"1_Less than 30 Days",
age>=365,"7_Older than 1 Year",
age>=180,"6_Older than 180 Days",
age>=120,"5_Older than 120 Days",
age>=90,"4_Older than 90 Days",
age>=60,"3_Older than 60 Days",
age>=30,"2_Older than 30 Days",
0==0,"8_No Age Data")

| table timestamp, _time, Session_Age, user, host, action, status, count

Goal is to have details of users that have not logged in or are not here any more and delete their unused artifacts e.g. AdHoc dashboards, reports, lookups etc. to remove clutter. Splunk ES is not the option on the table at the moment. I am executing above commands on Search Heads but they are not giving me what I need. What am I missing? Thanks in Advance!!!

Re: Splunk GUI User Audit needed for LogIn and LogOut

mbasharat — Sun, 29 Sep 2019 12:15:44 GMT

After looking into several factors explained in the question above, I ended up looking at the user's last search activities to consider an anchor of user's last time access. Used below query to produce results:

index=_audit host="*sh*" action=search
| stats latest(_time) as _time by user, host, search
| sort _time, user Desc
| dedup user
| fields user, host, search, _time

topic Splunk GUI User Audit needed for LogIn and LogOut in Security

Splunk GUI User Audit needed for LogIn and LogOut

| table splunk_server, id, searchId, userName, timeAccessed

Re: Splunk GUI User Audit needed for LogIn and LogOut