topic Re: Problem logging into splunk in Security

Problem logging into splunk

lain179 — Wed, 03 Apr 2013 22:19:10 GMT

Hi,

I have been using the same credential to login to my Splunk, but all of a sudden it stops working this afternoon. The log shows the following error. I know my password is correct because it's my AD account and I use the same pwd to login to my computer. How can I troubleshoot this login problem?

Thanks.

2013-04-03 14:52:55,190 ERROR   [515ca4b6f952fec88] account:216 - user=xxx action=login status=failure reason=user-initiated useragent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)" clientip=xx.xx.x.xxx

Re: Problem logging into splunk

vincesesto — Wed, 03 Apr 2013 22:53:20 GMT

Hey lain179,
I am not sure how splunk works with DA, but have you had a look at the passwd file that holds default user details in:
$SPLUNKHOME/etc/passwd
Might be somewhere to start.
Regards Vince

Re: Problem logging into splunk

lain179 — Wed, 03 Apr 2013 23:55:32 GMT

That only has a list of the accounts created in Splunk. Not AD accounts. Other people from same AD group don't have any problem logging in.

Re: Problem logging into splunk

nurtdi — Wed, 23 Jul 2014 15:42:29 GMT

We have the same issue - did you find anything on this? thanks

Re: Problem logging into splunk

Voltaire — Wed, 23 Jul 2014 18:21:03 GMT

Are you using Splunk and or LDAP to authenticate?

Re: Problem logging into splunk

Voltaire — Wed, 23 Jul 2014 18:22:34 GMT

If it is Splunk, yu can change the password here "$SPLUNKHOME/etc/passwd" Restart splunk and login with the Splunk default password

Re: Problem logging into splunk

nurtdi — Wed, 23 Jul 2014 18:30:32 GMT

This is only affecting AD users

Re: Problem logging into splunk

Voltaire — Wed, 23 Jul 2014 18:40:06 GMT

Are you using LDAP to authenticate to AD with Splunk??

Re: Problem logging into splunk

nurtdi — Mon, 28 Sep 2020 17:09:24 GMT

Yes! I see the issue with AD users.
the search-heads have same error as in original question. and it is not a single server that has an issue.
This search 'index=_* "action=login status=failure" | stats count by user reason date_month date_mday date_wday date_hour host' sorts it out and I can see different users and different hosts with the error - all intermittent.

Re: Problem logging into splunk

Voltaire — Wed, 23 Jul 2014 19:22:32 GMT

Did you configure LDAP roles in Splunk for authentications? If yes, did you use LDAP search method or another utility to verify the LDAP attributes in configuring the "LDAP connection settings"
For example did you verify The Group base DN? Exaple
"OU=Security Groups - AIS,DC=ad,DC=it,DC=yourdc,DC=ext