topic Re: How can I index login events to the web gui? in Monitoring Splunk

How can I index login events to the web gui?

balbano — Tue, 31 Jan 2012 18:24:11 GMT

Hi all,

I noticed 2 things today:

Doesn't look like my indexers are indexing any login events to the GUI.
When going to $splunk_home/var/log/splunk/web-service* , I only see successful login events being logged and not failed login event.

I would like to get both successful and failed login events indexed via Splunk so I can create alerts for multiple failed logins.

Any help you can provide on this would be great.

Thanks.

Brian

Re: How can I index login events to the web gui?

hexx — Tue, 31 Jan 2012 18:59:24 GMT

Those events are logged to the _audit index and can be retrieved with the following search :

index=_audit action="login attempt" info=failed

Re: How can I index login events to the web gui?

sideview — Tue, 31 Jan 2012 19:08:21 GMT

UPDATE:

The audit index already tracks everything you should need:

index=_audit action="login attempt" | stats count by user info

ORIGINAL:

1- when a user logs in succcessfully, there's an event that happens in SplunkWeb's splunk web_service log, that can be matched by the search:

index=_internal sourcetype=splunk_web_service user=* action="login" status="success"

Unfortunately though this log declines to log anything at all when a login fails. Possibly if you change log level to DEBUG it might, but that will make it an extremely chatty log.

2- All of the POST's to the /login endpoint will show up in SplunkWeb's web_access log: for instance many events will match this search:

index=_internal sourcetype="splunk_web_access" POST "/en-US/account/login" status=200

Unfortunately SplunkWeb returns 200 even when login fails (and when it should thus return 401).

From what I've seen, and granted I haven't looked into it very long, there's not a good way of differentiating a failed login event from a successful login event. However there's a bad and messy way that might at least stimulate someone else's thinking on the matter.

index=_internal ( sourcetype=splunk_web_service user=* action="login" status="success") OR ( sourcetype="splunk_web_access" POST "/en-US/account/login" status=200 ) | eval loginstatus=if(sourcetype="splunk_web_service",status,loginstatus) | transaction clientip endswith="sourcetype=splunk_web_access" | fillnull loginstatus value="failed" | fillnull user value="unknown" | stats count by user loginstatus clientip

Re: How can I index login events to the web gui?

balbano — Tue, 31 Jan 2012 21:32:07 GMT

Thanks Hex. Do you know what would be the best way to alert for any user who has failed login more than 5 times? The current query kinda just shows everyone but want to alert for any user who fails more than 5 times. Any assistance you can provide in that would be great.

Thanks.
Brian

Re: How can I index login events to the web gui?

sideview — Tue, 31 Jan 2012 22:05:04 GMT

index=_audit action="login attempt" info=failed | stats count by user | where count>4

Re: How can I index login events to the web gui?

balbano — Tue, 31 Jan 2012 23:36:41 GMT

awesome!!! Thanks dude!!!

Re: How can I index login events to the web gui?

balbano — Tue, 31 Jan 2012 23:37:47 GMT

Good to know!!! Thanks Nick!!!